Download Print this page

Nokia 7950 Advanced Configuration Manual

Part ii releases up to 15.0.r5 ethernet service switch; service router; extensible routing system
Hide thumbs

Advertisement

Advanced Configuration Guide - Part II Releases Up To 15.0.R5
7450 Ethernet Service Switch
7750 Service Router
7950 Extensible Routing System
Advanced Configuration Guide - Part II
Releases Up To 15.0.R5
3HE 13718 AAAA TQZZA 01
Issue: 01
November 2017
Nokia — Proprietary and confidential.
Use pursuant to applicable agreements.

Advertisement

loading

  Related Manuals for Nokia 7950

  Summary of Contents for Nokia 7950

  • Page 1 Advanced Configuration Guide - Part II Releases Up To 15.0.R5 7450 Ethernet Service Switch 7750 Service Router 7950 Extensible Routing System Advanced Configuration Guide - Part II Releases Up To 15.0.R5 3HE 13718 AAAA TQZZA 01 Issue: 01 November 2017 Nokia —...
  • Page 2 © 2017 Nokia. Contains proprietary/trade secret information which is the property of Nokia and must not be made available to, or copied or used by anyone outside Nokia without its written authorization. Not to be used or disclosed except in accordance with applicable agreements.
  • Page 3: Table Of Contents

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Table of Contents Preface ......................21 About This Guide.........................21 Services Overview..................25 G.8032 Ethernet Ring Protection Multiple Ring Topology .......27 Applicability ........................27 Overview ........................27 Configuration ........................35 Conclusion ........................70 G.8032 Ethernet Ring Protection Single Ring Topology ........71 Applicability ........................71 Overview...
  • Page 4: Table Of Contents

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Conclusion .........................221 Black-hole MAC for EVPN Loop Protection .............223 Applicability .........................223 Overview .........................223 Configuration .........................227 Conclusion .........................237 Conditional Static Black-Hole MAC in EVPN ...........239 Applicability .........................239 Overview .........................239 Configuration .........................242 Conclusion .........................268 EVPN for MPLS Tunnels ..................269...
  • Page 5: Table Of Contents

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Conclusion .........................486 EVPN Interconnect Ethernet Segments ............487 Applicability .........................487 Overview .........................487 Configuration .........................488 Conclusion .........................512 EVPN-MPLS Interconnect for EVPN-VXLAN VPLS Services......513 Applicability .........................513 Overview .........................513 Configuration .........................515 Conclusion .........................538 Fully Dynamic VSD Integration Model..............539 Applicability .........................539 Overview...
  • Page 6: Table Of Contents

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Configuration .........................675 Conclusion .........................695 Multi-Segment Pseudowire Routing ..............697 Applicability .........................697 Summary .........................697 Overview .........................698 Configuration .........................701 Conclusion .........................745 P2MP mLDP Tunnels for BUM Traffic in EVPN-MPLS Services ....747 Applicability .........................747 Overview .........................747 Configuration...
  • Page 7: Table Of Contents

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Virtual Ethernet Segments ................911 Applicability .........................911 Overview .........................911 Configuration .........................915 Conclusion .........................923 VLAN Range SAPs for VPLS and Epipe Services ...........925 Applicability .........................925 Overview .........................925 Configuration .........................935 Conclusion .........................943 Layer 3 Services ..................945 BGP Best External in a VPRN ................947 Applicability .........................947...
  • Page 8: Table Of Contents

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 NG-MVPN Sender-Only, Receiver-Only............1119 Applicability .......................1119 Overview .......................1119 Configuration .......................1121 Conclusion .......................1170 NG-MVPN Source Redundancy...............1171 Applicability .......................1171 Summary .......................1171 Overview .......................1172 Configuration .......................1174 Conclusion .......................1202 NG-MVPN Wildcard S-PMSI ................1203 Applicability .......................1203 Overview .......................1203 Configuration...
  • Page 9: Table Of Contents

    Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Quality of Service ................. 1353 Class Fair Hierarchical Policing for SAPs .............1355 Applicability .......................1355 Summary .......................1355 Overview .......................1356 Configuration .......................1365 Conclusion .......................1392 FP and Port Queue Groups ................1393 Applicability .......................1393 Overview .......................1393 Configuration...
  • Page 10 Advanced Configuration Guide - Part II Releases Up To 15.0.R5 3HE 13718 AAAA TQZZA 01 Issue: 01...
  • Page 11 Advanced Configuration Guide - Part II Releases Up To 15.0.R5 List of tables G.8032 Ethernet Ring Protection Multiple Ring Topology .......27 Table 1 Terminology Comparison ................30 BGP VPLS ......................189 Table 2 VE-IDs and Labels .................198 Table 3 VE-IDs and Number of Labels..............199 EVPN for MPLS Tunnels ..................269 Table 4 Comparing EVPN Multi-homing and BGP Multi-homing .......314...
  • Page 12 Advanced Configuration Guide - Part II Releases Up To 15.0.R5 FP and Port Queue Groups ................1393 Table 20 Default QoS and Queue Group Comparison ........1394 Table 21 Queue Group Templates - Ingress ............1397 Table 22 Queue Group Templates - Egress ............1397 Table 23 Network Ingress FP Queue Group Policer Usage .......1404 QoS Architecture and Basic Operation............1535...
  • Page 13 Advanced Configuration Guide - Part II Releases Up To 15.0.R5 List of figures G.8032 Ethernet Ring Protection Multiple Ring Topology .......27 Figure 1 G.8032 Major Ring and Sub-Ring .............31 Figure 2 G.8032 Ring Components ................33 Figure 3 G.8032 Sub-Ring Interconnection Components........34 Figure 4 Ethernet Test Topology ................39 Figure 5...
  • Page 14 Advanced Configuration Guide - Part II Releases Up To 15.0.R5 BGP VPLS ......................189 Figure 29 Network Topology..................190 Figure 30 BGP VPLS Using Auto-Provisioned SDPs ..........196 Figure 31 BGP VPLS Using Pre-Provisioned SDP..........212 Black-hole MAC for EVPN Loop Protection .............223 Figure 32 Black-hole MAC for EVPN Loop Protection..........224 Figure 33 Example Topology...................227...
  • Page 15 Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 60 EVPN MAC Mobility.................438 EVPN for VXLAN Tunnels (Layer 3) ..............447 Figure 61 EVPN-VXLAN for R-VPLS Services............449 Figure 62 BGP adjacencies and enabled families ...........452 Figure 63 EVPN-VXLAN for IRB Backhaul R-VPLS Services .........457 Figure 64 EVPN-VXLAN in EVPN-tunnel R-VPLS Services ........466 Figure 65...
  • Page 16 Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 91 LDP VPLS Using BGP-AD with prefer-provisioned-sdp Option ....661 Figure 92 Example Topology...................662 Figure 93 SDP Bindings in VPLS 1 with use-provisioned-sdp Option .....666 Figure 94 Auto-Created SDP Bindings in VPLS 2 ...........666 Figure 95 SDP Bindings in VPLS 1 with prefer-provisioned-sdp Option ....670 Multi-Chassis Endpoint for VPLS Active/Standby Pseudowire .....671...
  • Page 17 Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 126 Send Flush on BVPLS Failure Example..........837 Figure 127 Inter-Domain B-VPLS and MMRP Policies/ISID-Based Filters Example....................843 Preference-based and Non-revertive EVPN DF Election ........855 Figure 128 Virtual Ethernet Segments...............856 Figure 129 BGP-EVPN Extended Community for DF Election........857 Figure 130 Example Topology with All-active and Single-active vESs......858...
  • Page 18 Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 156 Example Topology...................955 Figure 157 Loadsharing for Traffic from PE-3 Destined to 10.0.0.0/8 .......972 Carrier Supporting Carrier IP VPNs ..............975 Figure 158 CSC Network Topology ................976 Layer 3 VPN: VPRN Type Spoke ...............999 Figure 159 CE Hub and Spoke Data Path...............1000 Figure 160...
  • Page 19 Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Rosen MVPN Inter-AS Option B ..............1257 Figure 188 General Topology for Inter-AS MVPN ...........1258 Figure 189 Protocols Used for Inter-AS MVPN ............1258 Figure 190 BGP Signaling Steps ................1261 Figure 191 PIM-P Signaling Steps for Default MDT ..........1262 Figure 192 PIM-C Signaling ..................1263...
  • Page 20 Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Pseudowire QoS ....................1513 Figure 223 Ingress PW QoS..................1514 Figure 224 Egress PW QoS ..................1515 Figure 225 Example Epipe Pseudowire Topology...........1518 QoS Architecture and Basic Operation............1535 Figure 226 Service and Network QoS Policies............1538 Figure 227 Visualization of Default Network Policies ..........1556 Figure 228...
  • Page 21: About This Guide

    List of Technical Publications The 7x50 series documentation set also includes the following guides: • 7450 ESS, 7750 SR, 7950 XRS, and VSR Basic System Configuration Guide Issue: 01 3HE 13718 AAAA TQZZA 01...
  • Page 22 Service Access Points (SAPs), Service Distribution Points (SDPs), customer information, and user services. • 7450 ESS, 7750 SR, 7950 XRS, and VSR Layer 2 Services and EVPN Guide: VLL, VPLS, PBB, and EVPN 3HE 13718 AAAA TQZZA 01...
  • Page 23 Lines (VLLs), Virtual Private LAN Service (VPLS), Provider Backbone Bridging (PBB), and EVPN. • 7450 ESS, 7750 SR, 7950 XRS, and VSR Layer 3 Services Guide: IES and VPRN Describes Layer 3 service functionality and provides examples to configure and implement Internet Enhanced Services (IES) and Virtual Private Routed Network (VPRN) services.
  • Page 24 Preface Advanced Configuration Guide - Part II Releases Up To 15.0.R5 3HE 13718 AAAA TQZZA 01 Issue: 01...
  • Page 25: Services Overview

    Advanced Configuration Guide - Part II Services Overview Releases Up To 15.0.R5 Services Overview In This Section This section provides configuration information for the following topics: • G.8032 Ethernet Ring Protection Multiple Ring Topology • G.8032 Ethernet Ring Protection Single Ring Topology Issue: 01 3HE 13718 AAAA TQZZA 01...
  • Page 26 Services Overview Advanced Configuration Guide - Part II Releases Up To 15.0.R5 3HE 13718 AAAA TQZZA 01 Issue: 01...
  • Page 27: G.8032 Ethernet Ring Protection Multiple Ring Topology

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology G.8032 Ethernet Ring Protection Multiple Ring Topology This chapter provides information about G.8032 Ethernet ring protection multiple ring topologies. Topics in this chapter include: •...
  • Page 28 G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 and service availability. Each ring node is connected to adjacent nodes participating in the same ring using two independent paths, which use ring links (configured on ports or link aggregation groups (LAGs)).
  • Page 29 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology • Forwarding database MAC flush on ring status change • RPL (Ring Protection Link) − Defines blocked link in idle status When sub-rings are used, they can either connect to a major ring (which is configured in the exact same way as a single ring) or another sub-ring, or to a VPLS service.
  • Page 30 G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 Table 1 Terminology Comparison ITU-T G.8032v2 Terminology SROS Terminology ETH_FF control vpls Service_FF data vpls East Ring Link path a West Ring Link path b RPL owner rpl-node owner...
  • Page 31 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology Figure 1 G.8032 Major Ring and Sub-Ring Owner Neighbor Control 1/1/1:1 Major Ring 1 Data 1/1/1:11 Virtual Channel 1/1/1:2 1/1/3:1 Control for sub-ring 2 1/1/3:11 Data 1/1/3:2 Virtual Channel for sub-ring 2...
  • Page 32 G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 An RPL owner and RPL neighbor are configured for both the major ring and sub-ring. The path and associated link will be the RPL when the ring is fully operational and will be blocked by the RPL owner whenever there is no fault on other ring links.
  • Page 33 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology SROS Implementation G.8032 is built from VPLS components and each ring consists of the configuration components illustrated in Figure Figure 2 G.8032 Ring Components Port 1/1/1 Port 1/1/2 path a...
  • Page 34 G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 Figure 3 G.8032 Sub-Ring Interconnection Components Port 1/1/1 Port 1/1/2 path a path b R-APS Tag 1 Eth-ring 1 R-APS Tag 1 Major Major Major Major...
  • Page 35: Configuration

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology The R-APS tags (ring automatic protection switching tags) and SAPs on the rings can either be dot1Q or QinQ encapsulated. It is also possible to have the control VPLS using single tagged frames with the data VPLSs using double tagged framed;...
  • Page 36 G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 • <ring-index> — This is the number by which the ring is referenced, values: 1 to128. • ccm-hold-time { [down <down-timeout>] [up <up-timeout>] } −...
  • Page 37 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology • guard-time <time> — The forwarding method, in which R-APS messages are copied and forwarded at every Ethernet ring node, can result in a message corresponding to an old request, that is no longer relevant, being received by Ethernet ring nodes.
  • Page 38 G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 • rpl-node {owner|nbr} — A node can be designated as either the owner of the RPL, in which case this node is responsible for the RPL, or the nbr (neighbor), in which case this node is expected to be the neighbor to the RPL owner across the RPL.
  • Page 39 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology Figure 4 Ethernet Test Topology RPL Owner 1/1/2 1/1/1 PE-2 Major Ring 1 Control VLAN ID Data VLAN ID 1.11 Virtual Channel for sub-ring 2 VLAN ID 2.1 Major Ring 1 1/1/1...
  • Page 40 G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 • Eth-ring for sub-ring 2 • Control channel service and add Eth-ring SAPs • User data channels Configure the Encapsulation for the Ring Ports. Eth-Ring needs an R-APS tag to send/receive G.8032 signaling messages.
  • Page 41 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology Loss-of-signal, in conjunction with other OAM mechanisms, is applicable only when the nodes are directly connected. Figure 5 shows the details of the MEPs and their associations configured when both the major and sub rings are used.
  • Page 42 G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 exit association 14 format icc-based name "Association14" ccm-interval 1 remote-mepid 144 exit exit exit Ring node PE-2: Association 12 and 23 are used for the major ring. *A:PE-2# configure eth-cfm domain 1 format none level 2...
  • Page 43 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology association 34 format icc-based name "Association34" ccm-interval 1 remote-mepid 343 exit exit exit Configuring Eth-Ring – Major Ring 1 Two paths must be configured to form a ring. In this example, VLAN tag 1.1 is used as control channel for R-APS signaling for the major ring (ring 1) on the ports shown Figure 4 using the ETH CFM information shown in...
  • Page 44 G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 *A:PE-1>config>eth-ring>path# no shutdown INFO: ERMGR #1001 Not permitted - must configure eth-cfm MEP first While MEPs are mandatory, enabling CCMs on the MEPs under the paths as a failure detection mechanism is optional as explained earlier.
  • Page 45 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology eth-ring 1 description "Ethernet Ring 1" revert-time 60 rpl-node nbr path a 1/1/3 raps-tag 1.1 description "Ethernet Ring 1 - PathA" eth-cfm mep 133 domain 1 association 13 ccm-enable control-mep no shutdown...
  • Page 46 G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 Ring node PE-1 provides an interconnection between the major ring (1) and the sub- ring (2). Ring 2 is configured to be a sub-ring which interconnects to ring 1. It will use a virtual link on ring 1 to send R-APS messages to the other interconnection node and topology changes will be propagated from sub-ring 2 to the major ring 1.
  • Page 47 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology Ring node PE-4: This node only has configuration for the sub-ring, ring 2. It is also the RPL owner, with path “b” being the RPL end, for the RPL between PE-3 and PE- *A:PE-4# configure eth-ring 2 description "Ethernet Sub-ring 2"...
  • Page 48 G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 Defect Status Sub-Ring Type : none ------------------------------------------------------------------------------- Ethernet Ring Path Summary ------------------------------------------------------------------------------- Path Port Raps-Tag Admin/Oper Type Fwd State ------------------------------------------------------------------------------- 1/1/1 Up/Down normal blocked 1/1/3 Up/Down...
  • Page 49 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology Ring node PE-3: Control service for the major ring. *A:PE-3# configure service vpls 1 customer 1 create description "Control VID 1.1 for Ring 1 - Major Ring" sap 1/1/2:1.1 eth-ring 1 create exit sap 1/1/3:1.1 eth-ring 1 create...
  • Page 50 G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 vpls 2 customer 1 create description "Virtual Channel VID 2.1 for Ring 2" sap 1/1/1:2.1 eth-ring 1 create exit sap 1/1/2:2.1 eth-ring 1 create exit no shutdown If multiple virtual channels are used (due to the aggregation of multiple sub-rings into...
  • Page 51 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology At this point, the Eth-Ring 1 is operationally up and the RPL is blocking successfully on ring node PE-2 port 1/1/1, as expected for the RPL owner/end configuration and on port 1/1/2 on PE-3 as the RPL neighbor.
  • Page 52 G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 Ring node PE-1: *A:PE-1# show eth-ring 1 =============================================================================== Ethernet Ring 1 Information =============================================================================== Description : Ethernet Ring 1 Admin State : Up Oper State : Up Node ID : 4a:c4:ff:00:00:00...
  • Page 53 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology =============================================================================== *A:PE-2# PE-2 is the RPL owner with port 1/1/1 as an RPL end, which is blocked as expected. The revert-time is also shown to be the configured value. Detailed information is shown relating to the R-APS PDUs being transmitted on this ring as this node is the RPL owner.
  • Page 54 G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 Node ID : 4a:c4:ff:00:00:00 Guard Time 5 deciseconds RPL Node : rplNone Max Revert Time 60 seconds Time to Revert : N/A CCM Hold Down Time : 0 centiseconds CCM Hold Up Time : 20 deciseconds...
  • Page 55 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology Ring Node PE-4: Sub-ring. *A:PE-4# show eth-ring 2 =============================================================================== Ethernet Ring 2 Information =============================================================================== Description : Ethernet Sub-ring 2 Admin State : Up Oper State : Up Node ID...
  • Page 56 G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 The ring hierarchy created can be shown, either for all rings, or as below for a specific ring. *A:PE-1# show eth-ring 1 hierarchy =============================================================================== Ethernet Ring 1 (hierarchy) ===============================================================================...
  • Page 57 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology *A:PE-2# configure service vpls 11 customer 1 create description "Data VPLS" sap 1/1/1:1.11 eth-ring 1 create exit sap 1/1/2:1.11 eth-ring 1 create exit sap 1/2/1:11 create description "Sample Customer Service SAP"...
  • Page 58 G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 1/1/3:1.11 Data ------------------------------------------------------------------------------- Number of SAPs : 8 =============================================================================== *A:PE-1# Statistics are available showing both the CCM and R-APS messages sent and received on a node. An associated clear command is available. *A:PE-1# show eth-cfm statistics =============================================================================== ETH-CFM System Statistics...
  • Page 59 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology For troubleshooting, the tools dump eth-ring <ring-index> command displays path information, the internal state of the control protocol, related statistics information and up to the last 16 protocol events (including messages sent and received, and the expiration of timers).
  • Page 60 G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 IDLE RxF<- Fwd Fwd 000 04:26:01.010 PROT ----- Fwd Fwd 000 04:26:01.010 PROT : 0xb000 TxF-> Blk Fwd 000 04:26:03.850 pdu A: 4a:c5:ff:00:00:00-0xb020 Sf PROT : 0xb000 RxF<- Blk Fwd 000 04:31:27.710...
  • Page 61 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology propagate-topology-change exit exit path a 1/1/2 raps-tag 2.1 description "Ethernet Ring 2 - PathA" eth-cfm mep 141 domain 1 association 14 ccm-enable control-mep no shutdown exit exit...
  • Page 62 G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 *A:PE-1# show service sap-using eth-ring =============================================================================== Service Access Points (Ethernet Ring) =============================================================================== SapId SvcId Eth-Ring Path Admin Oper Blocked Control/ State State Data ------------------------------------------------------------------------------- 1/1/1:1.1 Ctrl...
  • Page 63 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology Configuration of a Sub-Ring to a VPLS Service (with a Non-Virtual Link) Sub-rings can be connected to VPLS services, in which case a virtual link is not used and is not configurable.
  • Page 64 G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 The differences for the VPLS service connection to the configuration when the sub- ring is connected to a major ring without a virtual link are: •...
  • Page 65 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology sub-ring non-virtual-link exit path a 1/1/1 raps-tag 2.1 description "Ethernet Ring 2 - PathA" eth-cfm mep 144 domain 1 association 14 ccm-enable control-mep no shutdown exit exit...
  • Page 66 G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 =============================================================================== Description : Ethernet Sub-ring 2 on Major Ring 1 Admin State : Up Oper State : Up Node ID : 4a:c4:ff:00:00:00 Guard Time 5 deciseconds RPL Node : rplNone...
  • Page 67 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology *A:PE-1# configure port 1/1/2 shutdown 100 2016/05/10 07:16:59.16 UTC WARNING: SNMP #2004 Base 1/1/2 "Interface 1/1/2 is not operational" 101 2016/05/10 07:16:59.16 UTC MINOR: ERING #2001 Base eth-ring-2 "Eth-Ring 2 path a changed fwd state to blocked"...
  • Page 68 G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 tools perform eth-ring force <ring-index> path {a|b} tools perform eth-ring manual <ring-index> path {a|b} In the following output , path “b” of eth-ring 1 is manually blocked and then cleared. Initially, both ports are unblocked.
  • Page 69 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Multiple Ring Releases Up To 15.0.R5 Topology Path Port Raps-Tag Admin/Oper Type Fwd State ------------------------------------------------------------------------------- 1/1/1 Up/Up normal unblocked 1/1/3 Up/Up normal blocked =============================================================================== *A:PE-1# *A:PE-1# *A:PE-1# tools perform eth-ring clear 1 *A:PE-1# show eth-ring 1 =============================================================================== Ethernet Ring 1 Information...
  • Page 70: Conclusion

    G.8032 Ethernet Ring Protection Multiple Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 Conclusion Ethernet Ring APS provides an optimal solution for designing native Ethernet services with ring topology. With sub-rings, both multiple rings and access rings increase the versatility of G.8032.
  • Page 71: G.8032 Ethernet Ring Protection Single Ring Topology

    Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Single Ring Releases Up To 15.0.R5 Topology G.8032 Ethernet Ring Protection Single Ring Topology This chapter provides information about G.8032 Ethernet ring protection single ring topology. Topics in this chapter include: •...
  • Page 72 G.8032 Ethernet Ring Protection Single Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 The fundamentals of this ring protection switching architecture are: • the principle of loop avoidance and • the utilization of learning, forwarding, and address table mechanisms defined in the ITU-T G.8032v2 Ethernet flow forwarding function (ETH_FF) (Control plane).
  • Page 73 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Single Ring Releases Up To 15.0.R5 Topology Figure 7 shows a ring of six nodes, with the RPL owner on the top right. One link of the RPL owner is designated to be the RPL and will be blocked in order to prevent a loop.
  • Page 74 G.8032 Ethernet Ring Protection Single Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 The protection protocol uses a specific control VLAN, with the associated data VLANs taking their forwarding state from the control VLAN. Configuration The example topology is shown in Figure Figure 8 Example Topology...
  • Page 75 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Single Ring Releases Up To 15.0.R5 Topology sub-ring {virtual-link|non-virtual-link} Parameters: • ring-index — This is the number by which the ring is referenced, values: 1 to128. • ccm-hold-time {[down <down-timeout>] [up <up-timeout>]} −...
  • Page 76 G.8032 Ethernet Ring Protection Single Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 • guard-time <time> — The forwarding method, in which R-APS messages are copied and forwarded at every Ethernet ring node, can result in a message corresponding to an old request, that is no longer relevant, being received by Ethernet ring nodes.
  • Page 77 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Single Ring Releases Up To 15.0.R5 Topology • sub-ring {virtual-link|non-virtual-link} — This is beyond the scope of this chapter, as it is only required for multiple ring topologies. Prerequisites Logging Create following log-id on PE-2 to see major events logged to the console on PE-2.
  • Page 78 G.8032 Ethernet Ring Protection Single Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 Configure ETH-CFM Ethernet Ring requires Eth-CFM domains, associations and MEPs being configured. The domain format should be none and association name should be ITU-T carrier code- based (ICC-based - Y.1731).
  • Page 79 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Single Ring Releases Up To 15.0.R5 Topology eth-cfm domain 1 format none level 3 association 1 format icc-based name "ring1_1_2" ccm-interval 1 remote-mepid 1122 exit association 2 format icc-based name "ring1_1_3" ccm-interval 1 remote-mepid 1133 exit...
  • Page 80 G.8032 Ethernet Ring Protection Single Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 PE-1: configure eth-ring 1 path a 1/1/1 raps-tag 1 eth-cfm mep 1121 domain 1 association 1 ccm-enable control-mep no shutdown exit exit no shutdown exit path b 1/1/2 raps-tag 1 eth-cfm...
  • Page 81 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Single Ring Releases Up To 15.0.R5 Topology exit exit no shutdown exit path b 1/1/2 raps-tag 1 rpl-end eth-cfm mep 1122 domain 1 association 2 ccm-enable control-mep no shutdown exit exit no shutdown exit...
  • Page 82 G.8032 Ethernet Ring Protection Single Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 Until the Ethernet Ring instance is attached to the service (VPLS in this case), the ring operational status is down and the forwarding status of each port is blocked. This prevents operator from creating a loop by mis-configuration.
  • Page 83 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Single Ring Releases Up To 15.0.R5 Topology exit no shutdown exit PE-2: configure service vpls 1 customer 1 create sap 1/1/1:1 eth-ring 1 create exit sap 1/1/2:1 eth-ring 1 create exit no shutdown exit...
  • Page 84 G.8032 Ethernet Ring Protection Single Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 ------------------------------------------------------------------------------- a - 1/1/1 ----- b - 1/1/2 ----- =============================================================================== Ethernet Tunnel MEP Defect Legend: R = Rdi, M = MacStatus, C = RemoteCCM, E = ErrorCCM, X = XconCCM *A:PE-2# The ring and path forwarding states is shown with following command.
  • Page 85 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Single Ring Releases Up To 15.0.R5 Topology =============================================================================== Ethernet Ring 1 Information =============================================================================== Description : (Not Specified) Admin State : Up Oper State : Up Node ID : 4a:c5:ff:00:00:00 Guard Time 5 deciseconds RPL Node : rplOwner...
  • Page 86 G.8032 Ethernet Ring Protection Single Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 On reversion, the following console message is logged. 68 2016/05/02 11:22:50.87 UTC MINOR: ERING #2001 Base eth-ring-1 "Eth-Ring 1 path b changed fwd state to blocked" PE-3: *A:PE-3# show eth-ring 1 ===============================================================================...
  • Page 87 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Single Ring Releases Up To 15.0.R5 Topology Configure User Data Channel VPLS Service The user data channels are created on a separate VPLS, VPLS 100 in the example. Tag 100 and VPLS 100 are used here. The ring data channels must be on the same ports as the corresponding control channels configured above.
  • Page 88 G.8032 Ethernet Ring Protection Single Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 All of the SAPs which are configured to use ETH rings can be shown, using PE-1 as an example. *A:PE-1# show service sap-using eth-ring =============================================================================== Service Access Points (Ethernet Ring) ===============================================================================...
  • Page 89 Advanced Configuration Guide - Part II G.8032 Ethernet Ring Protection Single Ring Releases Up To 15.0.R5 Topology path-b, port 1/1/2 (Up), tag 1.0(Up) status (Up/Up/Blk) cc (Dn/Up): Cnt 3/3 tm 000 00:41:33.740/000 00:41:33.960 state: Cnt 11 B/F 000 00:49:11.680/000 00:47:58.630, flag: 0x0 FsmState= IDLE, Rpl = Owner, revert = 60 s, guard = 5 ds Defects =...
  • Page 90 G.8032 Ethernet Ring Protection Single Ring Advanced Configuration Guide - Part II Topology Releases Up To 15.0.R5 Conclusion Ethernet Ring APS provides optimal solution for designing native Ethernet services with ring topology. This protocol provides simple configuration, operation and guaranteed fast protection time. SROS also has a flexible encapsulation that allows dot1Q, qinq or PBB for the ring traffic.
  • Page 91: Layer 2 Services And Evpn

    Advanced Configuration Guide - Part II Layer 2 Services and EVPN Releases Up To 15.0.R5 Layer 2 Services and EVPN In This Section This section provides configuration information for the following topics: • Auto-Learn MAC Protect in EVPN • BGP Multi-Homing for VPLS Networks •...
  • Page 92 Layer 2 Services and EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 • Shortest Path Bridging for MAC • Virtual Ethernet Segments • VLAN Range SAPs for VPLS and Epipe Services 3HE 13718 AAAA TQZZA 01 Issue: 01...
  • Page 93: Auto-Learn Mac Protect In Evpn

    Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 Auto-Learn MAC Protect in EVPN This chapter provides information about Auto-Learn MAC Protect in EVPN. Topics in this chapter include: • Applicability • Overview • Configuration •...
  • Page 94 Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Configuring static MAC addresses is not scalable if large numbers of MAC addresses need to be protected. Also, configuring static MAC addresses is not an option when the MAC addresses are unknown.
  • Page 95 Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 However, RPS-DF can optionally be configured on destinations in EVPN MPLS or EVPN VXLAN, where data plane MAC learning is never performed for incoming traffic. For EVPN MPLS, the RPS-DF configuration is in the BGP EVPN context, as follows: configure service vpls 1 bgp-evpn mpls restrict-protected-src discard-frame For EVPN VXLAN, the RPS-DF configuration is in the VXLAN context, as follows:...
  • Page 96 Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Note: The configuration of restrict-protected-src alarm-only and restrict-unprotected-dst are not allowed in EVPN. Protection is provided at the point where a MAC address first enters the EVPN part of the network.
  • Page 97 Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 Figure 10 Example Topology - No LAG MTU-1 PE-2 CE-10 CE-20 192.0.2.1 192.0.2.2 172.16.0.10/24 172.16.0.20/24 1/1/3 192.168.12.0/30 1/2/3 aa:aa:01:10:10:10 aa:aa:02:20:20:20 1/2/1 1/2/1 1/1/3 1/1/4 .1 1/1/1 192.168.13.0/30 192.168.24.0/30...
  • Page 98 Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 On PE-2, VPLS 1 is configured with EVPN MPLS and contains a SAP toward CE-20 and a SAP toward MTU-1, as follows: configure service vpls 1 customer 1 create exit bgp-evpn evi 1...
  • Page 99 Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 • RPS-DF on EVPN MPLS destinations, MAC first learned on PE-2 • RPS-DF on EVPN MPLS destinations, MAC simultaneously learned on PE-2 and PE-3 • No RPS-DF on EVPN MPLS destinations, MAC simultaneously learned on PE-2 and PE-3 −...
  • Page 100 Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 11 MAC Address Learned Simultaneously on SAPs on PE-2 and PE-3 MTU-1 PE-2 192.0.2.1 192.0.2.2 CE-20 CE-10 aa:aa:02:20:20:20 aa:aa:01:10:10:10 VPLS 1 VPLS 1 VPLS 1 VPLS 1 PE-3 PE-4...
  • Page 101 Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 The following shows the settings for EVPN MAC address duplication detection, which are the default. It also lists the detected duplicate MAC addresses of CE-10 and CE-20: *A:PE-3# show service id 1 bgp-evpn ===============================================================================...
  • Page 102 Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The MAC addresses are in a hold-down state on the EVPN destinations and no MAC address moves take place until the next MAC address duplication detection retry after 9 minutes.
  • Page 103 Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 Seq:4 LABEL 262140 192.0.2.2 u*>i 192.0.2.2:1 aa:aa:02:20:20:20 ESI-0 Seq:4 LABEL 262140 192.0.2.2 ------------------------------------------------------------------------------- Routes : 2 =============================================================================== *A:PE-3# PE-3 does not use these BGP EVPN MAC address routes in its FDB, because locally learned MAC addresses are preferred.
  • Page 104 Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 ------------------------------------------------------------------------------- Routes : 4 =============================================================================== *A:PE-4# In the preceding output, MAC aa:aa:01:10:10:10 is learned from BGP peer 192.0.2.3 with MAC mobility sequence number 3, and from BGP peer 192.0.2.2 with sequence number 4.
  • Page 105 Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 No ALMP on SAPs, RPS-DF on EVPN Destinations When there are no protected MAC addresses (ALMP is disabled and no static MAC addresses are configured), the behavior is as described earlier. RPS-DF discards frames with protected MAC addresses that were not learned on the object, but there are no protected MAC addresses, because ALMP is not configured.
  • Page 106 Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 RestMacProtSrc Act : none (oper: Discard-frame) ---snip--- ALMP and RPS-DF on SAPs, RPS-DF on EVPN MPLS Destinations, MAC First Learned on PE-2 Initially, the SAP on PE-3 is shut down to ensure that the MAC address will first be learned on PE-2, then on PE-3, as follows: *A:PE-3# configure service vpls 1 sap 1/2/3:1 shutdown Each learned MAC address on the SAPs on PE-2 will be protected;...
  • Page 107 Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 Flag: 0x40 Type: 5 Len: 4 Local Preference: 100 Flag: 0xc0 Type: 16 Len: 24 Extended Community: target:64500:1 bgp-tunnel-encap:MPLS mac-mobility:Seq:0/Static " Note: The MPLS label is label1 in the BGP update divided by 16 (2 ), as follows: Figure 12 PE-2 sends similar BGP EVPN updates to peer PE-4.
  • Page 108 Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 =============================================================================== Forwarding Database, Service 1 =============================================================================== ServId Source-Identifier Type Last Change ------------------------------------------------------------------------------- aa:aa:01:10:10:10 eMpls: 05/11/17 15:06:35 EvpnS 192.0.2.2:262140 aa:aa:02:20:20:20 eMpls: EvpnS 05/11/17 15:06:35 192.0.2.2:262140 ------------------------------------------------------------------------------- No.
  • Page 109 Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 =============================================================================== Flag Route Dist. MacAddr Mac Mobility Label1 Ip Address NextHop ------------------------------------------------------------------------------- u*>i 192.0.2.2:1 aa:aa:01:10:10:10 ESI-0 LABEL 262140 Static 192.0.2.2 u*>i 192.0.2.2:1 aa:aa:02:20:20:20 ESI-0 Static LABEL 262140 192.0.2.2 -------------------------------------------------------------------------------...
  • Page 110 Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Because the MAC address was protected on the SAP on PE-2 and the BGP EVPN MAC route update had been received by PE-3 before any frame was received with this MAC SA, there will be no temporary loop.
  • Page 111 Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 Figure 14 MAC Learned and Protected Simultaneously on PEs - RPS-DF on EVPN Endpoints MTU-1 PE-2 192.0.2.1 192.0.2.2 CE-20 CE-10 aa:aa:02:20:20:20 aa:aa:01:10:10:10 VPLS 1 VPLS 1 MAC aa:aa:01:10:10:10 is protected on SAPs on PE-2 and PE-3...
  • Page 112 Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 *A:PE-2# show service id 1 fdb detail =============================================================================== Forwarding Database, Service 1 =============================================================================== ServId Source-Identifier Type Last Change ------------------------------------------------------------------------------- aa:aa:01:10:10:10 sap:1/2/3:1 LP/0 05/11/17 15:09:17 aa:aa:02:20:20:20 sap:1/2/1:1 LP/0 05/11/17 15:09:17 -------------------------------------------------------------------------------...
  • Page 113 Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 Flag: 0x80 Type: 4 Len: 4 MED: 0 Flag: 0x40 Type: 5 Len: 4 Local Preference: 100 Flag: 0xc0 Type: 16 Len: 24 Extended Community: target:64500:1 bgp-tunnel-encap:MPLS mac-mobility:Seq:0/Static...
  • Page 114 Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 When a frame is received at SAP 1/2/3:1 on PE-3 with protected MAC SA aa:aa:01:10:10:10, it is not dropped by the SAP, because this MAC SA has been learned and protected on this SAP on PE-3.
  • Page 115 Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 ALMP and RPS on SAPs, RPS-DF on EVPN MPLS Destinations, MAC First Learned on PE-2 RPS-DF is enabled on the EVPN MPLS destinations on the PEs, as follows: configure service vpls 1 bgp-evpn mpls restrict-protected-src discard-frame To simulate a scenario where the MAC addresses are first learned on PE-2, the SAP on PE-3 is shut down until the BGP EVPN MAC route updates are sent, as follows:...
  • Page 116 Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 192.0.2.2:262140 ------------------------------------------------------------------------------- No. of MAC Entries: 2 ------------------------------------------------------------------------------- Legend: L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf =============================================================================== *A:PE-3# The SAP on PE-3 is enabled, as follows: configure service vpls 1 sap 1/2/3:1 no shutdown The operational state of the SAP is up, because no protected MAC addresses have been received yet:...
  • Page 117 Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 Figure 15 MAC Learned and Protected on SAP on PE-2 - RPS Enabled on SAP on PE-3 MAC aa:aa:01:10:10:10 MTU-1 PE-2 is protected on SAP 192.0.2.1 192.0.2.2 on PE-2...
  • Page 118 Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Flags : RxProtSrcMac Multi Svc Site : None ---snip--- *A:PE-3# show service id 1 sap 1/2/3:1 detail =============================================================================== Service Access Points(SAP) =============================================================================== Service Id : 1/2/3:1 Encap : q-tag Description...
  • Page 119 Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 Figure 16 RPS Enabled on SAPs - RPS-DF on EVPN Endpoints, MACs Learned Simultaneously MTU-1 PE-2 192.0.2.1 192.0.2.2 CE-20 CE-10 aa:aa:02:20:20:20 aa:aa:01:10:10:10 VPLS 1 VPLS 1 MAC aa:aa:01:10:10:10 is protected on SAPs on PE-2 and PE-3...
  • Page 120 Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The FDB on PE-3 contains MAC address aa:aa:01:10:10:10 that is locally learned and protected, and MAC address aa:aa:02:20:20:20 that is protected on PE-2, as follows: *A:PE-3# show service id 1 fdb detail =============================================================================== Forwarding Database, Service 1...
  • Page 121 Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 ALMP in All-Active Multi-Homing SAPs All-active multi-homing for EVPN MPLS is explained in chapter EVPN for MPLS Tunnels. ALMP is not required on all-active multi-homing SAPs. The following example shows that traffic can be dropped when ALMP is enabled on the SAPs and RPS-DF is enabled on the EVPN-MPLS destinations.
  • Page 122 Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 exit exit exit exit exit ALMP is enabled on the SAPs on PE-2 and PE-3, as follows: configure service vpls 1 sap lag-1:1 auto-learn-mac-protect MAC address aa:aa:01:10:10:10 is learned and protected on PE-2 and PE-3, as follows: *A:PE-2# show service id 1 fdb detail ===============================================================================...
  • Page 123 Advanced Configuration Guide - Part II Auto-Learn MAC Protect in EVPN Releases Up To 15.0.R5 ALMP in All-Active Multi-Homing, RPS-DF on EVPN MPLS Destinations ALMP is not recommended in all-active multi-homing because it can cause traffic loss. The following example shows when frames are dropped. Figure 18 shows the example setup with MAC address aa:aa:01:10:10:10 protected on SAP lag-1:1 on both PE-2 and PE-3, and RPS-DF enabled on the EVPN...
  • Page 124 Auto-Learn MAC Protect in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 versa. If the MAC address is not protected yet on PE-2, the first few messages get through until the MAC address is protected on PE-2. Both multi-homing PEs, PE-2 and PE-3, protect the MAC address aa:aa:01:10:10:10 on their local all-active SAP.
  • Page 125: Bgp Multi-Homing For Vpls Networks

    Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 BGP Multi-Homing for VPLS Networks This chapter describes BGP Multi-Homing (BGP-MH) for VPLS network configurations. Topics in this chapter include: • Applicability • Summary • Overview •...
  • Page 126 BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Each multi-homing site connected to two or more peers is represented by a site-id (2 bytes long) which is encoded in the BGP MH Network Layer Reachability Information (NLRI).
  • Page 127: Overview

    Using Label Distribution Protocol (LDP) Signaling, and RFC 4761, Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling) architecture and functionality is assumed throughout this document. For further information, see the relevant Nokia documentation. Overview Figure 19 shows the example topology that will be used throughout the rest of the chapter.
  • Page 128 BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The topology consists of three core nodes (PE-1, PE-2, and PE-3) and three Multi- Tenant Unit (MTU) nodes connected to the core. The VPLS service 500 is configured on all the six nodes with the following characteristics: The VPLS service 500 is configured on all the six nodes with the following characteristics:...
  • Page 129 Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 Configuration This section describes all the relevant configuration tasks for the setup shown in Figure 19. The appropriate associated IP/MPLS configuration is out of the scope of this chapter.
  • Page 130 BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 • By having a direct BGP peering between MTU-4 and MTU-5, the BGP updates do not have to travel back and forth. • On MTU-4 and MTU-5, BGP is exclusively used for multi-homing, therefore there will not be more BGP peers for either MTUs and a RR adds nothing in terms of control plane scalability.
  • Page 131 Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 • The rapid-update l2-vpn statement allows BGP MH to send BGP updates immediately after detecting link failures, without having to wait for the Minimum Route Advertisement Interval (MRAI) to send the updates in batches. This statement is required to guarantee a fast convergence for BGP MH.
  • Page 132 BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 configure router policy-options begin community "comm_core" members "target:65000:500" policy-statement "vsi500_export" entry 10 action accept community add "comm_core" exit exit exit policy-statement "vsi500_import" entry 10 from community "comm_core"...
  • Page 133 Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 pw-template 500 use-provisioned-sdp create exit vpls 500 customer 1 create route-distinguisher 65000:501 vsi-export "vsi500_export" vsi-import "vsi500_import" pw-template-binding 500 split-horizon-group "CORE" exit exit bgp-vpls max-ve-id 65535 ve-name 501 ve-id 501 exit...
  • Page 134 BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 − The pw-template-binding command maps the previously defined pw- template 500 to the split-horizon-group “CORE”. In this way, all the BGP- signaled pseudowires will be part of this split horizon group. Although not shown in this example, the pw-template-binding command can also be used to instantiate pseudowires within different split horizon groups, based on different import route targets:...
  • Page 135 Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 Where: • The site name is defined by a string of up to 32 characters. • The site-id is an integer that identifies the multi-homing site and is encoded in the BGP MH NLRI.
  • Page 136 BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 − Manual site activation using the no shutdown command at the site-id level or at member object(s) level (SAP(s) or pseudowire(s)) − Site activation after a failure −...
  • Page 137 Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 =============================================================================== Site Information =============================================================================== Site Name : MH-site-1 ------------------------------------------------------------------------------- Site Id Dest : sap:1/1/1:8 Mesh-SDP Bind : no Admin Status : Enabled Oper Status : up Designated Fwdr : No DF UpTime...
  • Page 138 BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 pw-template 500 use-provisioned-sdp create exit vpls 500 customer 1 create route-distinguisher 65000:502 vsi-export "vsi500_export" vsi-import "vsi500_import" pw-template-binding 500 split-horizon-group "CORE" exit exit bgp-vpls max-ve-id 65535 ve-name 502 ve-id 502 exit...
  • Page 139 Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 site-id 1 split-horizon-group site-1 no shutdown exit endpoint "CORE" create no suppress-standby-signaling exit sap 1/1/1:7 split-horizon-group "site-1" create exit sap 1/1/2:8 split-horizon-group "site-1" create eth-cfm mep 48 domain 1 association 1 direction down fault-propagation-enable use-if-tlv ccm-enable...
  • Page 140 BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 sdp 51 mpls create far-end 192.0.2.1 lsp "LSP-MTU-5-PE-1" path-mtu 8000 no shutdown exit sdp 52 mpls create far-end 192.0.2.2 lsp "LSP-MTU-5-PE-2" path-mtu 8000 no shutdown exit vpls 500 customer 1 create route-distinguisher 65000:505...
  • Page 141 Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 configure router policy-options begin community "comm_core" members "target:65000:500" policy-statement "vsi500_export" entry 10 action accept community add "comm_core" local-preference 150 exit exit exit policy-statement "vsi500_import" entry 10 from community "comm_core"...
  • Page 142 BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Min Down Timer : default Timer Remaining : 0d 00:00:00 Failed Threshold : default(all) Monitor Oper Grp : (none) =============================================================================== *A:PE-2# The import and export policies are applied at service 500 level, which means that the LP changes for all the potential multi-homing sites configured under service 500.
  • Page 143 Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 • BGP VPLS — The remote BGP VPLS PEs interpret the F bit transitions from 1 to 0 as an implicit MAC flush-all-from-me indication. If a BGP update with the flag F=0 is received from the previous DF PE, the remote PEs perform MAC flush- all-from-me, flushing all the MACs associated with the pseudowire to the old DF PE.
  • Page 144 BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Access CE/PE Signaling BGP MH works at service level, therefore no physical ports are torn down on the non- DF, but rather the objects are brought down operationally, while the physical port will stay up and used for any other services existing on that port.
  • Page 145 Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 Figure 22 Access PE/CE Signaling 192.0.2.1 CCM With isDOWN 192.0.2.4 PW Status 0x20 1/1/2:8 CE-9 192.0.2.3 CE-8 1/1/1:8 MTU-4 10.50.50.9 192.0.2.6 PE-1 1/1/1:9 10.50.50.8 MH site-1 MH site-2 1/1/1:10 MTU-6...
  • Page 146 BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 If CE-8 is a service router, upon receiving a CCM with isDown, an alarm will be triggered and the SAP will be brought down: 61 2017/04/26 06:58:30.32 UTC MINOR: ETH_CFM #2001 Base "MEP 1/1/84 highest defect is now defRemoteCCM"...
  • Page 147 Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 Description : (Not Specified) SDP Id : 51:500 Type : Spoke Spoke Descr : (Not Specified) Split Horiz Grp : (Not Specified) Etree Root Leaf Tag: Disabled Etree Leaf AC : Disabled VC Type...
  • Page 148 BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 This concept can be used to enhance the BGP-MH solution for avoiding black-holes on the PE selected as the Designated Forwarder (DF), if the rest of the VPLS endpoints fail (pseudowire spoke(s)/pseudowire mesh and/or SAP(s)).
  • Page 149 Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 exit exit site "MH-site-2" monitor-oper-group "group-1" exit When all the BGP-VPLS pseudowires go down, oper-group group-1 will go down and therefore the monitoring object, site MH-site-2, will also go down and PE-2 will then be elected as DF.
  • Page 150 BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 =============================================================================== Site Site-Id Dest Mesh-SDP Admin Oper Fwdr ------------------------------------------------------------------------------- MH-site-2 sdp:25:500 Enabled up ------------------------------------------------------------------------------- Number of Sites : 1 ------------------------------------------------------------------------------- =============================================================================== *A:PE-2# The process reverts when at least one BGP-VPLS pseudowire comes back up. Show Commands and Debugging Options The main command to find out the status of a site is the show service id x site command.
  • Page 151 Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 *A:MTU-5# The detail view of the command displays information about the BGP MH timers. The values are only shown if the global values are overridden by specific ones at service level (and will be tagged with Ovr if they have been configured at service level).
  • Page 152 BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 *A:PE-3# show router bgp routes l2-vpn =============================================================================== BGP Router ID:192.0.2.3 AS:65000 Local AS:65000 =============================================================================== Legend - Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid l - leaked, x - stale, >...
  • Page 153 Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 Nexthop : 192.0.2.1 From : 192.0.2.1 Res. Nexthop : n/a Local Pref. : 100 Interface Name : NotAvailable Aggregator AS : None Aggregator : None Atomic Aggr.
  • Page 154 BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The following shows the Layer 2 BGP routes on PE-1: *A:PE-1# show service l2-route-table - l2-route-table [detail] [bgp-ad] [multi-homing] [bgp-vpls] [bgp-vpws] [all-routes] <detail> : keyword - display detailed information *A:PE-1# show service l2-route-table multi-homing =============================================================================== Services: L2 Multi-Homing Route Information - Summary...
  • Page 155 Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 SdpId SvcId Type IP address ------------------------------------------------------------------- 12:4294967292 BgpVpls 192.0.2.2 13:4294967293 BgpVpls 192.0.2.3 ------------------------------------------------------------------- SDP Entries found: 2 =================================================================== =============================================================================== Monitoring Sites for OperGroup: group-1 =============================================================================== SvcId Site Site-Id...
  • Page 156 BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Log 2 has been configured to log BGP updates and LDP commands. *A:MTU-4# show log log-id 2 =============================================================================== Event Log 2 =============================================================================== Description : (Not Specified) Memory Log contents [size=100 next event=11...
  • Page 157 Advanced Configuration Guide - Part II BGP Multi-Homing for VPLS Networks Releases Up To 15.0.R5 Assuming all the recommended tools are enabled, a DF to non-DF transition can be shown as well as the corresponding MAC flush messages and related BGP processing.
  • Page 158 BGP Multi-Homing for VPLS Networks Advanced Configuration Guide - Part II Releases Up To 15.0.R5 l2-vpn/vrf-imp:Encap=19: Flags=D: MTU=1514: PREF=0 " The D flag, sent along with the BGP VPLS update for veid 501, would be seen on the remote core PEs as though it was a pseudowire status fault (although there is no TLDP running in the core).
  • Page 159: Bgp Virtual Private Wire Services

    Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 BGP Virtual Private Wire Services This chapter describes BGP Virtual Private Wire Service (VPWS) configurations. Topics in this chapter include: • Applicability • Overview • Configuration •...
  • Page 160 BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Overview Figure 24 Example Topology PE-1 192.0.2.1 192.168.14.1/30 192.168.14.2/30 192.0.2.5 192.168.45.2/30 192.168.24.2/30 192.0.2.4 192.0.2.2 192.168.45.1/30 192.168.24.1/30 RR-5 PE-2 192.168.34.2/30 192.168.34.1/30 192.0.2.3 PE-3 al_0265 The network topology is shown in Figure 24.
  • Page 161 Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 BGP VPWS In this architecture, a VPWS is a collection of two (or three in case of redundancy) BGP VPWS service instances present on different PEs in a provider network. The PEs communicate with each other at the control plane level by means of BGP updates containing BGP VPWS Network Layer Reachability Information (NLRI).
  • Page 162 BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 autonomous-system 65536 group “INTERNAL” family l2-vpn peer-as 65536 neighbor 192.0.2.5 exit exit exit exit The configuration for the other PE nodes is exactly the same. The IP addresses can be derived from Figure The configuration for the Route Reflector (RR-5) is:...
  • Page 163 Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 Def. Instance 65536 0 00h00m22s 0/0/0 (L2VPN) ------------------------------------------------------------------------------- *A:RR-5# Configuration Pseudowire Templates BGP VPWS utilizes pseudowire (PW) templates to dynamically instantiate SDP bindings for a service to signal the egress service de-multiplexer labels used by remote PEs to reach the local PE.
  • Page 164 BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 vlan-vc-tag 0..4094 no vlan-vc-tag Note that: • The encapsulation type in the Layer-2 extended community is either 4 (Ethernet VLAN tagged mode) or 5 (Ethernet raw mode), depending on the vc-type parameter.
  • Page 165 Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 A pseudowire template is required. The following example is created using the default values: configure service pw-template 1 create exit Pseudowire Templates for Provisioned SDPs using RSVP-TE RSVP-TE LSPs need to be created between the PE routers on which provisioned SDPs will be used as prerequisite.
  • Page 166 BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 description "SDP-PE-1-PE-2_RSVP_BGP" signaling bgp far-end 192.0.2.2 lsp "LSP-PE-1-PE-2“ no shutdown exit The signaling bgp parameter is required. BGP VPWS instances using BGP VPWS signaling are able to use these SDPs. Conversely, SDPs that are bound to RSVP- based LSPs with signaling set to the default value of “tldp”...
  • Page 167 Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 *A:PE-1# configure service pw-template 1 create vc-type vlan exit epipe 1 customer 1 create route-distinguisher 65536:11 route-target export target:65536:1 import target:65536:1 pw-template-binding 1 exit exit bgp-vpws ve-name "PE-1"...
  • Page 168 BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 *A:PE-1# tools perform service eval-pw-template 1 eval-pw-template succeeded for Svc 1 Tx L2 ExtComm, Policy 1 eval-pw-template succeeded for Svc 1 17407:4294967295 Policy 1 *A:PE-1# VE-ID and BGP Label Allocations For a point-to-point VPWS, there are only two members within the BGP VPWS service, so only one label entry is required by each remote service.
  • Page 169 Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 exit no shutdown exit PE-1 Service Operation Verification Verify that the BGP VPWS service is enabled on PE-1. *A:PE-1# show service id 1 bgp-vpws =============================================================================== BGP VPWS Information =============================================================================== Admin State...
  • Page 170 BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Service Type : Epipe Name : (Not Specified) Description : (Not Specified) Customer Id Creation Origin : manual Last Status Change: 05/02/2017 13:30:00 Last Mgmt Change : 05/02/2017 13:30:00 Test Service : No...
  • Page 171 Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 *A:PE-1# show log log-id 2 ---snip--- 4 2017/05/02 13:30:17.85 UTC MINOR: DEBUG #2001 Base Peer 1: 192.0.2.5 "Peer 1: 192.0.2.5: UPDATE Peer 1: 192.0.2.5 - Send BGP UPDATE: Withdrawn Length = 0 Total Path Attr Length = 76 Flag: 0x90 Type: 14 Len: 32 Multiprotocol Reachable NLRI:...
  • Page 172 BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 *A:PE-1# configure service epipe 1 sap 1/1/4:1 shutdown 6 2017/05/02 13:34:40.86 UTC MINOR: DEBUG #2001 Base Peer 1: 192.0.2.5 "Peer 1: 192.0.2.5: UPDATE Peer 1: 192.0.2.5 - Send BGP UPDATE: Withdrawn Length = 0 Total Path Attr Length = 76 Flag: 0x90 Type: 14 Len: 32 Multiprotocol Reachable NLRI:...
  • Page 173 Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 PE-3 Service Operation Verification Similar to PE-1, the service operation should be validated on PE-3. Single Homed BGP VPWS using Pre-Provisioned SDP It is possible to configure BGP VPWS instances that use RSVP-TE transport tunnels. In this case, the SDPs must be created with the MPLS LSPs mapped and with the signaling set to BGP, because the service labels are signaled using BGP.
  • Page 174 BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 signaling bgp far-end 192.0.2.2 lsp "LSP-PE-1-PE-2" no shutdown exit SDP on PE-2 *A:PE-2# configure service sdp 21 mpls create description "SDP-PE-2-PE-1_RSVP_BGP" signaling bgp far-end 192.0.2.1 lsp "LSP-PE-2-PE-1"...
  • Page 175 Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 The route distinguisher and route target extended community values for Epipe 2 are different from that in Epipe 1. This is to differentiate between the two as their visibility is global within the BGP domain.
  • Page 176 BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 For completeness, verify the service is operationally up on PE-2. *A:PE-2# show service id 2 base =============================================================================== Service Basic Information =============================================================================== Service Id Vpn Id Service Type : Epipe ---snip---...
  • Page 177 Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 Figure 27 Dual Homed BGP VPWS with Single Pseudowire VE-id=1 MH-id=1 PE-1 Site-preference=200 RD=65551:31 RT=65536:3 192.0.2.1 Epipe 3 VE-id=3 RD=65551:32 RT=65536:3 Dual-homed Site 192.0.2.4 192.0.2.2 SiteB SiteA PE-2...
  • Page 178 BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 no shutdown exit site "SITEB" create site-id 1 sap 1/1/4:3 site-preference 200 no shutdown exit sap 1/1/4:3 create exit no shutdown exit Epipe 3 is configured on PE-3 as follows: *A:PE-3# configure service pw-template 3 create...
  • Page 179 Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 route-distinguisher 65536:32 route-target export target:65536:3 import target:65536:3 pw-template-binding 3 exit exit bgp-vpws ve-name "PE-2" ve-id 2 exit remote-ve-name "PE-1 or PE-3" ve-id 1 exit no shutdown exit sap 1/1/4:3 create exit...
  • Page 180 BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 *A:PE-2# show router bgp routes l2-vpn rd 65536:33 =============================================================================== BGP Router ID:192.0.2.2 AS:65536 Local AS:65536 =============================================================================== Legend - Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid l - leaked, x - stale, >...
  • Page 181 Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 After disabling the SAP in the service on PE-1, BGP update messages are received. The VPLS/VPWS message received on PE-2 from PE-1 shows in the CSV that the access circuit is down (the CSV has the most-significant bit set to 1 (0x80)), so PE- 2 selects the update from PE-3 to create the pseudowire.
  • Page 182 BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 " The result can be shown on PE-2 as now the spoke SDP is up (active) to PE-3. *A:PE-2# show service l2-route-table bgp-vpws detail =============================================================================== Services: L2 Bgp-Vpws Route Information - Summary =============================================================================== ---snip---...
  • Page 183 Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 Figure 28 Dual Homed BGP VPWS with Active/Standby Pseudowire VE-id=1 MH-id=1 PE-1 Site-preference=200 RD=65551:41 RT=65551:4 192.0.2.1 Epipe 4 VE-id=3 RD=65551:42 RT=65551:4 Dual-homed Site 192.0.2.4 192.0.2.2 SiteB SiteA PE-2...
  • Page 184 BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 exit no shutdown exit site "SITEB" create site-id 1 sap 1/1/4:4 site-preference 200 no shutdown exit sap 1/1/4:4 create exit no shutdown exit Epipe 4 is configured on PE-3 as follows: The local VE-ID is 3 (different from previous example).
  • Page 185 Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 pw-template 3 create exit epipe 4 customer 1 create route-distinguisher 65536:42 route-target export target:65536:4 import target:65536:4 pw-template-binding 3 exit exit bgp-vpws ve-name "PE-2" ve-id 2 exit remote-ve-name "PE-1"...
  • Page 186 BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Path MTU : 1514 Control Word Seq Delivery Status : active Tx Status : inactive Preference : 10 Sdp Bind Id : 17406:4294967289 =============================================================================== *A:PE-2# The choice of pseudowire to be used to transmit traffic from PE-2 to PE-1 can also be seen in the endpoint created in the BGP VPWS service.
  • Page 187 Advanced Configuration Guide - Part II BGP Virtual Private Wire Services Releases Up To 15.0.R5 Conclusion BGP VPWS allows the delivery of Layer 2 virtual private wire services to customers where BGP is commonly used. This chapter shows the configuration of single and dual-homed BGP VPWS services together with the associated show output, which can be used to verify and troubleshoot them.
  • Page 188 BGP Virtual Private Wire Services Advanced Configuration Guide - Part II Releases Up To 15.0.R5 3HE 13718 AAAA TQZZA 01 Issue: 01...
  • Page 189: Bgp Vpls

    Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 BGP VPLS This chapter describes advanced BGP VPLS configurations. Topics in this chapter include: • Applicability • Summary • Overview • Configuration • Conclusion Applicability This chapter was initially written for SR OS release 9.0.R3. The CLI in the current edition corresponds to release 15.0.R2.
  • Page 190 BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Overview Figure 29 Network Topology RR-7 PE-1 192.168.14.0/30 192.168.47.0/30 192.0.2.7 192.0.2.4 192.0.2.1 192.168.45.0/30 192.168.12.0/30 PE-2 192.168.25.0/30 192.0.2.5 192.0.2.2 192.168.35.0/30 192.168.26.0/30 PE-3 192.168.36.0/30 192.0.2.3 192.0.2.6 BGP_VPLS_01 The network topology is displayed in Figure 29.
  • Page 191 Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 BGP VPLS In this architecture, a VPLS instance is a collection of local VPLS instances present on a number of PEs in a provider network. In this context, any VPLS-aware PE is also known as a VPLS Edge (VE) device.
  • Page 192 BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The BGP configuration for the other PE nodes is identically the same. The IP addresses can be derived from Figure The configuration for RR-7 is as follows: *A:RR-7# configure router autonomous-system 65536 cluster 1.1.1.1...
  • Page 193 Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 =============================================================================== * indicates that the corresponding row element may have been truncated. *A:PE-1# On RR-7, show that BGP sessions with each PE are established, and have a negotiated the l2-vpn address family capability. *A:RR-7# show router bgp summary all =============================================================================== BGP Summary...
  • Page 194 BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 no shutdown exit no shutdown exit The MPLS and LSP configuration for PE-2 and PE-3 are similar to that of PE-1 with the appropriate interfaces and LSP names configured. BGP VPLS PE Configuration Pseudowire Templates Pseudowire templates are used by BGP to dynamically instantiate SDP bindings, for...
  • Page 195 Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 Using this mechanism, SDPs can be auto-instantiated with SDP-IDs starting at the higher end of the SDP numbering range, such as 17407. Any subsequent SDPs created use SDP-IDs decrementing from this value. A pseudowire template is required containing a split horizon group.
  • Page 196 BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 far-end 192.0.2.2 lsp "LSP-PE-1-PE-2" no shutdown exit The signaling bgp parameter is required for BGP-VPLS to be able to use this SDP. Conversely, SDPs that are bound to RSVP-based LSPs with signaling set to the default value of tldp will not be used as SDPs within BGP-VPLS.
  • Page 197 Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 exit bgp-vpls max-ve-id 10 ve-name "PE-1" ve-id 1 exit no shutdown exit service-name "VPLS1_PE-1" sap 1/1/4:1.0 create exit no shutdown exit The bgp context specifies parameters which are valid for all of the VPLS BGP applications, such as BGP-multi-homing, BGP-auto-discovery, and BGP-VPLS.
  • Page 198 BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 VE-ID and BGP Label Allocations The choice of ve-id is crucial in ensuring efficient allocation of de-multiplexer labels. The most efficient choice is for ve-ids to be allocated starting at 1 and incrementing for each PE as the following section explains.
  • Page 199 Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 Table 2 VE-IDs and Labels (Continued) VE-ID Label 262132 262133 262434 262135 This shows that the label allocated to a given PE is (LB+veid-1). The “1” is the VE block offset (VBO).
  • Page 200 BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 If ve-ids are chosen that map to different block offsets, then each PE will have to send multiple BGP updates to signal service labels. Each PE sends label blocks in BGP updates to each of its BGP neighbors for all label blocks in which at least one ve-id has been seen by this PE (it does not advertise label blocks which do not contain an active ve-id, where active ve-id means the ve-id of this PE or any other PE in this...
  • Page 201 Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 no shutdown exit service-name "VPLS1_PE-2" sap 1/1/4:1.0 create exit no shutdown exit The max-ve-id value is set to 10 to allow an increase in the number of PEs that could be a part of this VPLS instance.
  • Page 202 BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 =============================================================================== Max Ve Id : 10 Admin State : Enabled VE Name : PE-1 VE Id PW Tmpl used =============================================================================== *A:PE-1# The following command shows that the service is operationally up on PE-1: *A:PE-1# show service id 1 base =============================================================================== Service Basic Information...
  • Page 203 Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 As can be seen from the following output, a BGP-VPLS NLRI update is sent to the route reflector (192.0.2.7) and is received by each PE. The following debug trace from PE-1 shows the BGP NLRI update for VPLS 1 sent by PE-1 to the route reflector.
  • Page 204 BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Flag: 0x90 Type: 14 Len: 28 Multiprotocol Reachable NLRI: Address Family L2VPN NextHop len 4 NextHop 192.0.2.1 [VPLS/VPWS] preflen 17, veid: 1, vbo: 1, vbs: 8, label-base: 262128, RD 65536:1 Flag: 0x40 Type: 1 Len: 1 Origin: 0 Flag: 0x40 Type: 2 Len: 0 AS Path: Flag: 0x80 Type: 4 Len: 4 MED: 0...
  • Page 205 Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 Source Class Dest Class ------------------------------------------------------------------------------- Routes : 4 =============================================================================== *A:PE-1# In this configuration example, PE-1 (192.0.2.1) with ve-id =1 has sent an update with base offset (VBO) =1, block size (VBS) = 8, and label base 262128. This means that labels 262128 (LB) to 262135 (LB+VBS-1) are available as de-multiplexer labels, egress labels to be used to reach PE-1 for VPLS 1.
  • Page 206 BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Label calculation = label base + local ve-id - Base offset = 262128 + 2 - 1 Egress label used = 262129 This is verified using the following command on PE-2 where the egress label toward PE-1 (192.0.2.1) is 262129.
  • Page 207 Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 Routes : 3 =============================================================================== *A:PE-3# The ve-id of PE-3 is also in the label block covered by block offset VBO =1. Label calculation= label base + local ve-id - VBO = 262128 + 3 - 1 Egress label used = 262130 This is verified using the following command on PE-3 where egress label toward...
  • Page 208 BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 =============================================================================== * indicates that the corresponding row element may have been truncated. *A:PE-2# PE-2 De-Multiplexer Label Calculation In the same way that PE-1 allocates a label base (LB), block size (VBS), and base offset (VBO), PE-2 also allocates the same parameters for PE-1 and PE-3 to calculate the egress service label required to reach PE-2.
  • Page 209 Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 =============================================================================== Services: Service Destination Points =============================================================================== SdpId Type Far End addr I.Lbl E.Lbl ------------------------------------------------------------------------------- 17406:4294967294 BgpVpls 192.0.2.3 262130 262128 17407:4294967295 BgpVpls 192.0.2.2 262129 262126 ------------------------------------------------------------------------------- Number of SDPs : 2 ------------------------------------------------------------------------------- =============================================================================== *A:PE-1#...
  • Page 210 BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 ------------------------------------------------------------------------------- sap:1/1/4:1.0 qinq 1522 1522 sdp:17406:4294967294 SB(192.0.2.1) BgpVpls 1556 sdp:17407:4294967295 SB(192.0.2.2) BgpVpls 1556 =============================================================================== * indicates that the corresponding row element may have been truncated. *A:PE-3# *A:PE-3# show service id 1 sdp =============================================================================== Services: Service Destination Points ===============================================================================...
  • Page 211 Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 Services: Service Destination Points =============================================================================== SdpId Type Far End addr I.Lbl E.Lbl ------------------------------------------------------------------------------- 17406:4294967294 BgpVpls 192.0.2.3 262128 262129 17407:4294967295 BgpVpls 192.0.2.1 262126 262129 ------------------------------------------------------------------------------- Number of SDPs : 2 ------------------------------------------------------------------------------- =============================================================================== *A:PE-2#...
  • Page 212 BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 31 BGP VPLS Using Pre-Provisioned SDP PE-1 SDP 13 192.0.2.1 RR-7 SDP 12 192.0.2.7 SDP 31 PE-3 VPLS 2 192.0.2.3 SDP 32 SDP 21 PE-2 SDP 23 192.0.2.2 BGP_VPLS_03 Figure 31...
  • Page 213 Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 sdp 23 mpls create description "SDP-PE-2-PE-3_RSVP_BGP" signaling bgp far-end 192.0.2.3 lsp "LSP-PE-2-PE-3" no shutdown exit SDPs on PE-3 *A:PE-3# configure service sdp 31 mpls create description "SDP-PE-3-PE-1_RSVP_BGP" signaling bgp far-end 192.0.2.1 lsp "LSP-PE-3-PE-1"...
  • Page 214 BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The following output shows the configuration required for a BGP-VPLS service using a pseudowire template configured for using pre-provisioned RSVP-TE SDPs. *A:PE-1# configure service vpls 2 customer 1 create route-distinguisher 65536:2 route-target export target:65536:2 import target:65536:2 pw-template-binding 2...
  • Page 215 Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 *A:PE-3# configure service vpls 2 customer 1 create route-distinguisher 65536:2 route-target export target:65536:2 import target:65536:2 pw-template-binding 2 exit exit bgp-vpls max-ve-id 100 ve-name "PE-3" ve-id 3 exit no shutdown exit sap 1/1/4:2.0 create exit...
  • Page 216 BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Service Type : VPLS ---snip--- Admin State : Up Oper State : Up : 1514 Def. Mesh VC Id SAP Count SDP Bind Count ---snip--- ------------------------------------------------------------------------------- Service Access & Destination Points ------------------------------------------------------------------------------- Identifier Type...
  • Page 217 Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 Consider PE-1’s BGP update NLRIs. *A:PE-1# show router bgp routes l2-vpn rd 65536:2 hunt =============================================================================== BGP Router ID:192.0.2.1 AS:65536 Local AS:65536 =============================================================================== Legend - Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid l - leaked, x - stale, >...
  • Page 218 BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Route Tag Neighbor-AS : N/A Orig Validation: N/A Source Class Dest Class ------------------------------------------------------------------------------- Routes : 8 =============================================================================== *A:PE-1# Two NLRIs updates are sent to the route reflector, with the following label parameters: 1.
  • Page 219 Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 • ve-id < (VBO+VBS) for ve-id = 3 is true. • PE-3 chooses label 262120 + 3 - 1 = 262122 (LB + veid - VBO) • Update 2: LB = 262112, VBS = 8, VBO = 17 •...
  • Page 220 BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Label Label Type Label Owner ----------------------------------------------------------------- 262110 dynamic ILDP 262111 dynamic ILDP 262112 dynamic 262113 dynamic 262114 dynamic 262115 dynamic 262116 dynamic 262117 dynamic 262118 dynamic 262119 dynamic 262120 dynamic 262121...
  • Page 221 Advanced Configuration Guide - Part II BGP VPLS Releases Up To 15.0.R5 Conclusion BGP-VPLS allows the delivery of Layer 2 VPN services to customers where BGP is commonly used. The examples presented in this chapter show the configuration of BGP-VPLS together with the associated show outputs which can be used for verification and troubleshooting.
  • Page 222 BGP VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 3HE 13718 AAAA TQZZA 01 Issue: 01...
  • Page 223: Black-Hole Mac For Evpn Loop Protection

    Advanced Configuration Guide - Part II Black-hole MAC for EVPN Loop Protection Releases Up To 15.0.R5 Black-hole MAC for EVPN Loop Protection This chapter provides information about Black-hole MAC for EVPN Loop Protection. Topics in this chapter include: • Applicability •...
  • Page 224 Black-hole MAC for EVPN Loop Protection Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 32 Black-hole MAC for EVPN Loop Protection PE-1 192.0.2.1 CE-10 EVI 1 172.16.10.10/24 MAC1 = ca:fe:01:10:10:10 EVPN-MAC EVPN-MAC MAC2 SEQ x MAC2 SEQ backdoor link CE-20 EVI 1...
  • Page 225 Advanced Configuration Guide - Part II Black-hole MAC for EVPN Loop Protection Releases Up To 15.0.R5 If the mac-duplication black-hole-dup-mac option is configured, MAC2 will be added to the FDB as black-hole MAC, so traffic with MAC DA = MAC2 will be discarded.
  • Page 226 Black-hole MAC for EVPN Loop Protection Advanced Configuration Guide - Part II Releases Up To 15.0.R5 • MAC addresses assigned to a black-hole destination are protected and incoming frames with MAC SA = MAC2 will be discarded or the system will bring down the SAP/SDP-binding, depending on the restrict- protected-src setting on the SAP/SDP/EVPN endpoint.
  • Page 227 Advanced Configuration Guide - Part II Black-hole MAC for EVPN Loop Protection Releases Up To 15.0.R5 Configuration Figure 33 shows the example topology with three PEs and two CEs. A loop will occur when CE-20 sends Broadcast, Unknown unicast, or Multicast (BUM) traffic. Traffic between PE-2 and PE-3 will be sent over the regular router interfaces between the PEs, but also over the backdoor link (SAP 1/1/2:1 in VPLS 1 on PE-2 and SAP 1/1/1:1 in VPLS 1 on PE-3).
  • Page 228 Black-hole MAC for EVPN Loop Protection Advanced Configuration Guide - Part II Releases Up To 15.0.R5 configure router autonomous-system 64500 min-route-advertisement 1 rapid-withdrawal split-horizon rapid-update evpn group "internal" family evpn cluster 1.1.1.1 peer-as 64500 neighbor 192.0.2.1 exit neighbor 192.0.2.2 exit exit exit VPLS 1 is configured on all PEs with BGP-EVPN and MAC duplication enabled, as...
  • Page 229 Advanced Configuration Guide - Part II Black-hole MAC for EVPN Loop Protection Releases Up To 15.0.R5 On the EVPN-MPLS endpoints, restrict-protected-src discard-frame must be configured. When MAC address ca:fe:02:20:20:20 is detected on PE-3 as a duplicate MAC address that is black-holed, the EVPN-MPLS endpoints on PE-3 should discard all frames with MAC SA ca:fe:02:20:20:20.
  • Page 230 Black-hole MAC for EVPN Loop Protection Advanced Configuration Guide - Part II Releases Up To 15.0.R5 =============================================================================== *A:PE-2# The following FDB on PE-3 shows that MAC ca:fe:02:20:20:20 has been detected as a duplicate and protected MAC (type EvpnD:P) associated with a black-hole endpoint: *A:PE-3# show service id 1 fdb mac ca:fe:02:20:20:20 ===============================================================================...
  • Page 231 Advanced Configuration Guide - Part II Black-hole MAC for EVPN Loop Protection Releases Up To 15.0.R5 50 2017/08/17 07:16:28.176 UTC MINOR: SVCMGR #2331 Base "VPLS Service 1 has MAC(s) detected as duplicates by EVPN mac-duplication detection." MAC address ca:fe:02:20:20:20 remains in the FDB as duplicate and black-holed until the retry interval expires, as follows: *A:PE-3# configure service vpls 1 bgp-evpn mac-duplication retry - no retry...
  • Page 232: Clear Commands

    Black-hole MAC for EVPN Loop Protection Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Clear Commands The following FDB entry on PE-3 of type EvpnD:P cannot be cleared with a normal FDB clear command: *A:PE-3# show service id 1 fdb mac ca:fe:02:20:20:20 =============================================================================== Forwarding Database, Service 1 ===============================================================================...
  • Page 233 Advanced Configuration Guide - Part II Black-hole MAC for EVPN Loop Protection Releases Up To 15.0.R5 *A:PE-3# show service id 1 bgp-evpn | match "Detected" pre-lines 2 post-lines 5 ------------------------------------------------------------------------------- Detected Duplicate MAC Addresses Time Detected ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- =============================================================================== =============================================================================== *A:PE-3# Instead of clearing the MAC duplication state for one specific MAC address, all duplicate MAC addresses can be cleared by the following command:...
  • Page 234 Black-hole MAC for EVPN Loop Protection Advanced Configuration Guide - Part II Releases Up To 15.0.R5 *A:PE-3# show log log-id 99 count 3 =============================================================================== Event Log 99 =============================================================================== Description : Default System Log Memory Log contents [size=500 next event=103 (not wrapped)] 102 2017/08/17 11:29:07.597 UTC MINOR: SVCMGR #2203 Base "Status of SAP 1/1/1:1 in service 1 (customer 1) changed to admin=up oper=down flags=RxProtSrcMac "...
  • Page 235 Advanced Configuration Guide - Part II Black-hole MAC for EVPN Loop Protection Releases Up To 15.0.R5 Black-hole MAC Duplication in All-active Multi-homing Figure 34 shows the example topology with all-active multi-homing. Figure 34 Example Topology with All-active Multi-homing PE-1 192.0.2.1 CE-12 1/2/1:2 172.16.20.12/24...
  • Page 236 Black-hole MAC for EVPN Loop Protection Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The reason why black-hole MAC duplication should be configured instead of ALMP is the following. When ALMP is configured on SAP lag-1:2 on PE-2 and PE-3, MAC address ca:fe:01:12:12:12 of CE-12 is learned and protected on the SAP on both PEs.
  • Page 237 Advanced Configuration Guide - Part II Black-hole MAC for EVPN Loop Protection Releases Up To 15.0.R5 resolution any exit no shutdown exit exit sap 1/2/1:2 create exit sap lag-1:2 create exit no shutdown The configuration of VPLS 2 on PE-3 is similar. Conclusion Black-hole MAC for EVPN MAC duplication protects EVPN services against customer-created backdoors or loops, while supporting MAC mobility and all-active...
  • Page 238 Black-hole MAC for EVPN Loop Protection Advanced Configuration Guide - Part II Releases Up To 15.0.R5 3HE 13718 AAAA TQZZA 01 Issue: 01...
  • Page 239: Conditional Static Black-Hole Mac In Evpn

    Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 Conditional Static Black-Hole MAC in EVPN This chapter provides information about Conditional Static Black-Hole MAC in EVPN. Topics in this chapter include: • Applicability •...
  • Page 240 Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The default behavior on the SAP/SDP-bindings is Restricted Protected Source Discard Frame (RPS-DF). Therefore, all frames with MAC SA equal to the black-hole MAC will, by default, be dropped on the SAP/SDP-binding where the frames enter the service.
  • Page 241 Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 Figure 36 Proxy-ARP/ND and ARP Spoofing MACs/IPs MAC/IP IP or IP/MPLS Core Network Who has IP1? MAC1 has IP1 Proxy-ARP/ND Spoofer 26244 EVPN can suppress ARP/ND flooding within an EVPN service if all the attached hosts advertise their presence.
  • Page 242 Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Configuration Figure 37 shows the example topology. Traffic will be sent between the CEs and may be dropped in the PEs if the MAC DA or MAC SA matches a black-hole MAC. IP address 172.16.0.10/24 is duplicate (CE-10 and CE-11).
  • Page 243 Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 peer-as 64500 neighbor 192.0.2.3 exit neighbor 192.0.2.4 exit exit exit VPLS 1 is configured on all PEs and on MTU-1 (MTU-1's VPLS 1 is connected to PE- 3 by a SAP).
  • Page 244 Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 38 Conditional Static Black-Hole MAC PE-3 MTU-1 192.0.2.1 192.0.2.3 1/2/1:1 CE-30 CE-10 172.16.0.30/24 00:00:aa:aa:aa:aa 1/2/1:1 CE-40 CE-20 172.16.0.40/24 172.16.0.20/24 00:00:04:40:40:40 00:00:02:20:20:20 PE-4 PE-2 192.0.2.2 192.0.2.4 26246...
  • Page 245 Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 =============================================================================== ServId Source-Identifier Type Last Change ------------------------------------------------------------------------------- 00:00:aa:aa:aa:aa black-hole CStatic: 05/15/17 13:41:03 ---snip--- The source identifier is black-hole and it is applicable to frames that enter the VPLS on this node, regardless of how they enter the VPLS (SAP, SDP-binding, or EVPN endpoint).
  • Page 246 Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Request timed out. icmp_seq=1. Request timed out. icmp_seq=2. Request timed out. icmp_seq=3. Request timed out. icmp_seq=4. Request timed out. icmp_seq=5. ---- 172.16.0.30 PING Statistics ---- 5 packets transmitted, 0 packets received, 100% packet loss *A:PE-2# The port statistics show that the traffic was sent from PE-2 to PE-3, where it entered...
  • Page 247 Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 =============================================================================== Port Statistics on Slot 1 =============================================================================== Port Ingress Ingress Egress Egress Packets Octets Packets Octets ------------------------------------------------------------------------------- 1/1/3 1051 129115 5016 =============================================================================== The FDB entry for this MAC DA is black-holed and no traffic is received on SAP 1/2/1:1 toward CE-30;...
  • Page 248 Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 *A:PE-2# show port 1/1/[1..3] statistics =============================================================================== Port Statistics on Slot 1 =============================================================================== Port Ingress Ingress Egress Egress Packets Octets Packets Octets ------------------------------------------------------------------------------- 1/1/1 1534 1017 125718 ===============================================================================...
  • Page 249 Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 Conditional Static Black-Hole MAC in Combination with Restrict Protected Source For Ethernet frames with MAC SA equal to the static black-hole MAC, the treatment is the same as for protected MACs (see chapter Auto-Learn MAC Protect in EVPN),...
  • Page 250 Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 *A:PE-3# clear port 1/[1..2]/[1..4] statistics *A:PE-3# ping router 10 172.16.0.20 rapid count 1000 ---snip--- 1000 packets transmitted, 0 packets received, 100% packet loss *A:PE-3# show port 1/[1..2]/[1..4] statistics =============================================================================== Port Statistics on Slot 1 ===============================================================================...
  • Page 251 Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 ---snip--- 1000 packets transmitted, 0 packets received, 100% packet loss *A:PE-3# show port 1/[1..2]/[1..4] statistics =============================================================================== Port Statistics on Slot 1 =============================================================================== Port Ingress Ingress Egress Egress...
  • Page 252 Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 When CE-30 sends traffic with MAC SA equal to a protected MAC address (black- hole or not), the entire SAP 1/2/1:1 will be brought operationally down, as follows: *A:PE-3# ping router 10 172.16.0.20 PING 172.16.0.20 56 data bytes Request timed out.
  • Page 253 Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 The SAP can only be brought up manually by disabling and re-enabling the SAP, as follows: *A:PE-3# configure service vpls 1 sap 1/2/1:1 shutdown *A:PE-3# configure service vpls 1 sap 1/2/1:1 no shutdown *A:PE-3# show service id 1 sap ===============================================================================...
  • Page 254 Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 • Dynamic (learned on SAP) and EVPN • EVPN and dynamic • Dynamic and dynamic The following example shows IP address moves from dynamic to dynamic between SAP 1/2/1:1 (to CE-10) and SAP 1/2/1:2 (to CE-11) in VPLS 1 on MTU-1.
  • Page 255 Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 <static-black-hole> : keyword In VPLS 1 on PE-3, a proxy-ARP with duplicate IP detection is configured, including an optional anti-spoof MAC (AS-MAC) 00:00:bb:bb:bb:bb for offending IP addresses, as follows: configure service...
  • Page 256 Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Flag: 0xc0 Type: 16 Len: 24 Extended Community: target:64500:1 bgp-tunnel-encap:MPLS mac-mobility:Seq:0/Static " Without the option static black-hole, the configured AS-MAC is not added to the local FDB, but this MAC address is treated as a local MAC.
  • Page 257 Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 bgp-tunnel-encap:MPLS " There is no duplicate IP detected yet. The following GARP update is sent locally: 62 2017/05/16 10:14:11.19 UTC MINOR: DEBUG #2001 Base proxy arp "proxy arp: svc: 1 ip: 172.16.0.10 type: Dyn mac: 00:00:01:11:11:11 Gratuitous Update"...
  • Page 258 Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 When CE-10 confirms MAC 00:00:01:10:10:10 for IP 172.16.0.10, IP duplication is detected for IP address 172.16.0.10 (after three MAC moves in a detection period of three minutes), and the following message is raised in log 99 after a duplicate proxy- ARP entry was detected for IP 172.16.0.10: 60 2017/05/16 10:14:56.19 UTC MINOR: SVCMGR #2346 Base...
  • Page 259 Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 The proxy-ARP entry is shown with type duplicate (dup) and active status in the proxy-ARP table for VPLS 1 on PE-3, as follows: *A:PE-3# show service id 1 proxy-arp detail ------------------------------------------------------------------------------- Proxy Arp -------------------------------------------------------------------------------...
  • Page 260 Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Note: The AS-MAC will always be "unique" in the system. When the AS-MAC is configured, the system will flush any entry with the same MAC learned through EVPN or dynamic sources.
  • Page 261 Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 Withdrawn Length = 0 Total Path Attr Length = 46 Flag: 0x90 Type: 15 Len: 42 Multiprotocol Unreachable NLRI: Address Family EVPN Type: EVPN-MAC Len: 37 RD: 192.0.2.3:1 ESI: ESI-0, tag: 0, mac len: 48 mac: 00:00:bb:bb:bb:bb, IP len: 4, IP: 172.16.0.10, label1: 0 "...
  • Page 262 Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 MAC 00:00:01:10:10:10 is confirmed for IP 172.16.0.10; therefore, the MAC address is changed in the proxy-ARP entry from 00:00:01:11:11:11 to 00:00:01:10:10:10, and an ARP confirmation is asked for the old MAC 00:00:01:11:11:11, as follows: 83 2017/05/16 10:14:56.08 UTC MINOR: DEBUG #2001 Base proxy arp "proxy arp: svc: 1 ip: 172.16.0.10 Mac Change: 00:00:01:11:11:11->00:00:01:10:10:10 "...
  • Page 263 AS-MACs in the service at each PE, which increases the complexity of the filters. Nokia recommends using the same AS-MAC for the same service in all the PES where duplicate detect is active and MAC filters need to be configured.
  • Page 264 Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 1. Local MACs (including AS-MACs without static-black-hole, es-bmacs, src- bmacs, OAM, and so on) 2. Conditional static MACs (including AS-MACs with static-black-hole) 3. Auto-Learn Protected MACs 4.
  • Page 265 Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 vpls 1 static-mac mac 00:00:bb:bb:bb:bb create black-hole exit proxy-arp dup-detect window 3 num-moves 5 hold-down max anti-spoof-mac 00:00:bb:bb:bb:bb static-black-hole dynamic-arp-populate static 172.16.0.20 00:00:02:20:20:20 no shutdown exit When the AS-MAC is configured with the static black-hole option, the AS-MAC will be added not only to the MAC DB, but also to the FDB as CStatic, and associated...
  • Page 266 Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 target:64500:1 bgp-tunnel-encap:MPLS mac-mobility:Seq:0/Static " When a duplicate IP address is detected, the EVPN-MAC update contains the IP address 172.16.0.10, as follows: 126 2017/05/16 11:04:37.65 UTC MINOR: DEBUG #2001 Base Peer 1: 192.0.2.2 "Peer 1: 192.0.2.2: UPDATE Peer 1: 192.0.2.2 - Send BGP UPDATE: Withdrawn Length = 0...
  • Page 267 Advanced Configuration Guide - Part II Conditional Static Black-Hole MAC in EVPN Releases Up To 15.0.R5 No. of ARP Entries: 2 =============================================================================== A:PE-3# CE-30 and CE-31 cannot reach CE-10 or CE-11, because the MAC DA will be the AS-MAC and all traffic to this MAC DA is black-holed instead of forwarded to SAP 1/2/3:1 toward CE-10 or CE-11.
  • Page 268 Conditional Static Black-Hole MAC in EVPN Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Conclusion Static black-hole MACs can be applied in EVPN for security as a scalable alternative to MAC filters. Static black-hole MACs are programmed in the FDB and all frames with MAC DA equal to the static black-hole MAC are dropped, regardless of how the frame arrived at the system (SAP/SDP-binding or EVPN endpoint).
  • Page 269: Evpn For Mpls Tunnels

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 EVPN for MPLS Tunnels This chapter provides information about EVPN for MPLS tunnels. Topics in this chapter include: • Applicability • Overview • Configuration • Conclusion Applicability This chapter was initially written for SR OS Release 13.0.R6, but the CLI in the current edition corresponds to release 15.0.R2.
  • Page 270 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The EVPN for Virtual eXtensible Local Area Network (VXLAN) tunnels (Layer 2) chapter focuses on the use of EVPN as a control plane for VXLAN tunnels, whereas this chapter provides configuration guidelines for EVPN when used for MPLS tunnels.
  • Page 271 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 When EVPN multi-homing is used in an EVI, routes type 1 and 4 are used (where type 1 has two different purposes): • Route type 1 - Auto-discovery per Ethernet segment (AD per ES) route: This route is advertised per ES from the PE, carries the Ethernet Segment Identifier (ESI) label (used for split-horizon) in multi-homing mode, and can affect procedures such as the Designated Forwarder (DF) election, as well as the...
  • Page 272 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 41 EVPN-MPLS for VPLS Services 192.0.2.2 PE-2 192.0.2.4 PE-4 (Route-Reflector) VPLS 1 VPLS 1 192.0.2.6 192.0.2.1 MTU-6 MTU-1 1/2/1:1 1/2/1:1 IP/MPLS IP/MPLS LAG-1 VPLS 1 VPLS 1 Access CORE...
  • Page 273 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 enable-peer-tracking rapid-withdrawal split-horizon rapid-update evpn group "internal" family evpn cluster 1.1.1.1 peer-as 64500 neighbor 192.0.2.3 exit neighbor 192.0.2.4 exit neighbor 192.0.2.5 exit exit The BGP configuration on the clients PE-3, PE-4, and PE-5 is as follows: configure router autonomous-system 64500...
  • Page 274 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 EVPN routes type 1 (auto-discovery per-EVI route), type 2 (MAC/IP route), type 3 (inclusive multicast route), and type 5 (IP-prefix route) are always sent with the RFC 5512, the BGP Encapsulation Subsequent Address Family Identifier (SAFI) and the BGP Tunnel Encapsulation Attribute, BGP encapsulation extended community that indicates the associated encapsulation of the route.
  • Page 275 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 • bgp enables the context for the BGP configuration relevant to the service. If a manual (non-auto-derived) RD/RT, as well as import/export policies, are needed for the service, the commands in the bgp context must be configured. When bgp-evpn is enabled in a VPLS instance, other families are supported within the same service (bgp-ad and bgp-mh, not bgp-vpls).
  • Page 276 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 • bgp-evpn>cfm-mac-advertisement must be enabled when eth-cfm is used across an EVPN-MPLS service among different PEs. If a Maintenance Endpoint (MEP) or Maintenance domain Intermediate Point (MIP) is configured in any of the SAP/SDP bindings in the VPLS and has to exchange eth-cfm packets with a remote MEP/MIP across the EVPN-MPLS core, this command must be enabled.
  • Page 277 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 − If the auto-bind-tunnel resolution any is configured, as in the example, EVPN destinations in the service are resolved based on the best tunnel in the Tunnel Table Manager (TTM). For instance, the following command shows the existing EVPN destinations for VPLS 1 in PE-3.
  • Page 278 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 − The user must set the resolution to filter to activate the list of tunnel-types configured under resolution-filter. Although not shown in the bgp-evpn mpls basic configuration for PE-3, there are other parameters that can be modified: *A:PE-3# configure service vpls 1 bgp-evpn mpls - mpls...
  • Page 279 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 • send-evpn-encap configures the encapsulation to be advertised with the EVPN routes for the service. The encapsulation is encoded in RFC5512-based tunnel encapsulation extended communities. When configured in the bgp-evpn>mpls context, the supported options are none (no send-evpn-encap), mpls, mplsoudp, or both.
  • Page 280 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 192.0.2.5 262140 05/04/2017 08:09:05 ------------------------------------------------------------------------------- Number of entries : 3 ------------------------------------------------------------------------------- =============================================================================== =============================================================================== BGP EVPN-MPLS Ethernet Segment Dest =============================================================================== Eth SegId Num. Macs Last Change ------------------------------------------------------------------------------- No Matching Entries =============================================================================== ===============================================================================...
  • Page 281 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 BGP EVPN MPLS Auto Bind Tunnel Information =============================================================================== Resolution : any Filter Tunnel Types: (Not Specified) =============================================================================== When traffic is generated, the PEs will start learning MAC addresses and advertising them in BGP so that the remote PEs learn those MAC addresses against EVPN destinations.
  • Page 282 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Number of entries : 4 ------------------------------------------------------------------------------- =============================================================================== When an EVPN-MPLS destination or MAC address is not created/installed correctly, the user may check the BGP-EVPN routes received and the routes kept in the RIB. The routes that the PE receives are shown when debug router bgp update is enabled.
  • Page 283 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 If the route is successfully imported, it can be shown in the RIB (show router bgp routes commands). The route shown in the debug and the same route in a show command do not necessarily have the same label value.
  • Page 284 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 far-end 192.0.2.4 no shutdown exit vpls 1 spoke-sdp 24:1 create exit exit The service configuration on PE-4 is as follows: configure service sdp 42 mpls create far-end 192.0.2.2 no shutdown exit...
  • Page 285 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 Spoke SDP 24:1 is down because of an EVPN route conflict, as indicated by the flags: *A:PE-2# show service id 1 sdp 24 detail | match Flag context all Flags : PWPeerFaultStatusBits EvpnRouteConflict...
  • Page 286 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 exit exit bgp-evpn mpls split-horizon-group "CORE" ingress-replication-bum-label ecmp 2 auto-bind-tunnel resolution any exit no shutdown exit exit sap 1/2/1:2 split-horizon-group "CORE" create exit sap lag-1:2 create exit no shutdown EVPN-MPLS Multi-Homing...
  • Page 287 ESI-2 that will be resolved to the two next-hops: PE-2 and PE-3. Unicast load- balancing will happen as long as ECMP > 1 is enabled in PE-4. Nokia recommends the use of ingress-replication-bum-label on the PEs that are part of an all-active ES. In an all-active multi-homing scenario, if a specified MAC...
  • Page 288 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 This issue is solved by the use of ingress-replication-bum-label in PE-2 and PE-3. If configured, PE-2/PE-3 will know that the received packet is an unknown unicast packet;...
  • Page 289 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 configure lag 1 mode access encap-type dot1q port 1/1/1 lacp active administrative-key 1 system-id 00:00:00:00:02:03 no shutdown Ethernet segment “ESI-12” is configured in the service system bgp-evpn context on PE-2 and PE-3, as follows: configure service...
  • Page 290 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 − esi — 10-byte identifier that represents the ES in the BGP control plane. The same ESI must be configured in all the PEs connected to the same CE/MTU (using a unique value that cannot be associated with any other CE/MTU/access network).
  • Page 291 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 − service-carving — As defined in RFC 7432, service-carving controls the distribution of DF/non-DF roles across the different services defined in an *A:PE-2>config>service>system>bgp-evpn>eth-seg>service-carving# mode - mode {manual|auto} <manual|auto>...
  • Page 292 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Although not configured as part of the ES, the config>redundancy>bgp-evpn- multi-homing>boot-timer allows the necessary time for the control plane protocols to come up after the PE has rebooted, and before bringing up the ESs and running the DF algorithm.
  • Page 293 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 =============================================================================== Description : Default System Log Memory Log contents [size=500 next event=118 (not wrapped)] 117 2017/05/05 13:52:44.77 UTC MINOR: SVCMGR #2203 Base "Status of SAP lag-1:1 in service 1 (customer 1) changed to admin=up oper=up flags=" All-Active Multi-Homing Operation To confirm that all-active multi-homing is working correctly for ESI-12, the user can use the following commands:...
  • Page 294 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The following command shows that PE-2 is not the DF and the DF candidate PEs for EVI 1 are PE-2 and PE-3: *A:PE-2# show service system bgp-evpn ethernet-segment name "ESI-12" evi 1 =============================================================================== EVI DF and Candidate List ===============================================================================...
  • Page 295 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 192.0.2.2 192.0.2.3 ------------------------------------------------------------------------------- Number of entries: 2 ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- ---snip--- The following command shows all information related to ESI-12 on PE-3: *A:PE-3# show service system bgp-evpn ethernet-segment name "ESI-12" all =============================================================================== Service Ethernet Segment ===============================================================================...
  • Page 296 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Total Path Attr Length = 70 Flag: 0x90 Type: 14 Len: 34 Multiprotocol Reachable NLRI: Address Family EVPN NextHop len 4 NextHop 192.0.2.3 Type: EVPN-Eth-Seg Len: 23 RD: 192.0.2.3:0 ESI: 01:00:00:00:00:12:00:00:00:01, IP-Len: 4 Orig-IP-Addr: 192.0.2.3 Flag: 0x40 Type: 1 Len: 1 Origin: 0 Flag: 0x40 Type: 2 Len: 0 AS Path:...
  • Page 297 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 Flag: 0x90 Type: 14 Len: 36 Multiprotocol Reachable NLRI: Address Family EVPN NextHop len 4 NextHop 192.0.2.3 Type: EVPN-AD Len: 25 RD: 192.0.2.3:1 ESI: 01:00:00:00:00:12:00:00:00:01, tag: MAX-ET Label: 0 Flag: 0x40 Type: 1 Len: 1 Origin: 0 Flag: 0x40 Type: 2 Len: 0 AS Path: Flag: 0x80 Type: 4 Len: 4 MED: 0...
  • Page 298 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 =============================================================================== *A:PE-2# show router bgp routes evpn auto-disc esi 01:00:00:00:00:12:00:00:00:01 hunt ---snip--- =============================================================================== BGP EVPN Auto-Disc Routes =============================================================================== ------------------------------------------------------------------------------- RIB In Entries ------------------------------------------------------------------------------- Network : N/A Nexthop : 192.0.2.3 From...
  • Page 299 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 l - leaked, x - stale, > - best, b - backup, p - purge Origin codes : i - IGP, e - EGP, ? - incomplete =============================================================================== BGP EVPN Auto-Disc Routes ===============================================================================...
  • Page 300 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 ServId Source-Identifier Type Last Change ------------------------------------------------------------------------------- 00:00:11:11:11:11 eES: Evpn 05/05/17 08:57:00 01:00:00:00:00:12:00:00:00:01 ---snip--- • Due to the aliasing function, the newly created EVPN-MPLS ES destination to ESI-12 has two next-hops (PE-2 and PE-3), to which PE-4 can load-balance the unicast traffic because ecmp 2 is configured in the VPLS-1 of PE-4.
  • Page 301 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 192.0.2.2 262141 05/05/2017 11:47:00 192.0.2.3 262141 05/05/2017 11:47:00 ------------------------------------------------------------------------------- Number of entries : 2 ------------------------------------------------------------------------------- =============================================================================== • PE-3 will show the CE-11 MAC address as learned locally in SAP lag-1:1 (because the data plane learning of the CE-11 MAC address happened in PE- 3).
  • Page 302 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 43 EVPN-MPLS Single-Active Multi-Homing: Mass-Withdraw, Backup Path ESI34 PE-4 Withdraw EVI 1 EVI 2 PE-2 EVI 3 ESI34 EVI 1 EVI 2 EVI 3 EVI 1 EVI 2 EVI 3 PE-5...
  • Page 303 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 service sdp 46 mpls create far-end 192.0.2.6 no shutdown exit Ethernet segment “ESI-34” is configured on PE-4 as follows: configure service system bgp-evpn ethernet-segment "ESI-34" create esi 01:00:00:00:00:34:00:00:00:01 es-activation-timer 3 service-carving...
  • Page 304 Although the ESI-label is always used in all-active multi-homing when sending BUM traffic between the PEs in the ES, it is configurable for single-active. However, Nokia recommends to use the default option (using ESI-label) to avoid potential transient issues when there is a DF switchover.
  • Page 305 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 ingress-replication-bum-label ecmp 2 auto-bind-tunnel resolution any exit no shutdown exit exit spoke-sdp 56:1 create no shutdown exit no shutdown In all-active multi-homing, the non-DF does not bring down the service SAP associated with the ES (it only removes it from the default-multicast-list).
  • Page 306 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The local PW bits (pwFwdingStandby) are sent to MTU-6: *A:PE-4# show service id 1 sdp 46:1 detail | match Pw Local Pw Bits : pwFwdingStandby Peer Pw Bits : None Single-Active Multi-Homing Operation The same commands used in the...
  • Page 307 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 =============================================================================== Legend - Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid l - leaked, x - stale, > - best, b - backup, p - purge Origin codes : i - IGP, e - EGP, ? - incomplete ===============================================================================...
  • Page 308 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 =============================================================================== BGP EVPN-MPLS Dest TEP Info =============================================================================== TEP Address Egr Label Last Change Transport ------------------------------------------------------------------------------- 192.0.2.5 262141 05/05/2017 12:22:41 ------------------------------------------------------------------------------- Number of entries : 1 ------------------------------------------------------------------------------- =============================================================================== •...
  • Page 309 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 *A:PE-5# show service id 1 fdb detail =============================================================================== Forwarding Database, Service 1 =============================================================================== ServId Source-Identifier Type Last Change ------------------------------------------------------------------------------- 00:00:16:16:16:16 sdp:56:1 L/60 05/05/17 12:37:26 ---snip--- ------------------------------------------------------------------------------- Legend: L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf ===============================================================================...
  • Page 310 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Svc Carving : auto Oper Svc Carving : auto Cfg Range Type : primary =============================================================================== PE-5 is no longer the DF and the only DF candidate is PE-4: *A:PE-5# show service system bgp-evpn ethernet-segment name "ESI-34"...
  • Page 311 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 *A:PE-4# show service system bgp-evpn ethernet-segment name "ESI-34" evi 1 =============================================================================== EVI DF and Candidate List =============================================================================== SvcId Actv Timer Rem DF Last Change ------------------------------------------------------------------------------- yes 05/05/2017 13:24:58 =============================================================================== =============================================================================== DF Candidates...
  • Page 312 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The following must be considered: • The DF election procedure is revertive, that is, when the failed SDP comes back up, PE-5 will take over again as DF and the network will re-converge. •...
  • Page 313 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 • EVPN macs with higher SEQ number • Lowest IP (next-hop IP of the EVPN NLRI) • Lowest eth-tag (will be normally zero) • Lowest RD •...
  • Page 314 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 BGP EVPN-MPLS Ethernet Segment Dest =============================================================================== Eth SegId Num. Macs Last Change ------------------------------------------------------------------------------- 01:00:00:00:00:12:00:00:00:01 05/05/2017 14:00:24 =============================================================================== =============================================================================== BGP EVPN-MPLS Dest TEP Info =============================================================================== TEP Address Egr Label Last Change Transport...
  • Page 315 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 Table 4 Comparing EVPN Multi-homing and BGP Multi-homing (Continued) VPN Requirements EVPN-MH BGP-MH Comments Allows multiple SAPs or SDP-bindings per service on Through the use of the same site SHGs Boot timer and site(es)-...
  • Page 316 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 spoke-sdp 46:1 create no shutdown exit no shutdown -------------------------------------- For BGP multi-homing, site “site-1” is configured, as follows. The RD needs to be configured in the bgp context. config>service>vpls# info --------------------------------------- route-distinguisher 192.0.2.4:1...
  • Page 317 FDB age-time. • In scaled environments (with thousands of services), it is not recommended to set the send-refresh value to less than 300 s. In such scenarios, Nokia recommends using a minimum proxy-ARP/ND age-time and FDB age of 900 s.
  • Page 318 − no host-unsolicited-na-flood-evpn − no router-unsolicited-na-flood-evpn • Nokia recommends using the preceding commands only in EVPN networks where the CEs are routers directly connected to an SR OS node acting as the PE. Networks using aggregation switches between the host/routers and the PEs should flood GARP/ND messages in EVPN to make sure the remote caches are updated and BGP does not miss the advertisement of these entries.
  • Page 319 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 An example of proxy-ARP configuration is as follows. This configuration should be added to all PEs. When a new ARP message is received on any of the PEs, they will learn the IP-MAC address pair and will advertise it to the network.
  • Page 320 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Seq:0 LABEL 262141 192.0.2.5 u*>i 192.0.2.5:1 16:4f:ff:00:03:3a ESI-0 Static LABEL 262141 192.0.2.5 ---snip--- =============================================================================== Troubleshooting and Debug Commands When troubleshooting an EVPN-MPLS network, the following show commands and debug commands are recommended, as already discussed throughout this chapter: •...
  • Page 321 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels Releases Up To 15.0.R5 • Each remote PE consumes one EVPN-MPLS destination for unicast (if they advertise MAC/IP routes to PE-2 and the ingress-replication-bum-label is configured in all the PEs). PE-2 has three remote unicast EVPN-MPLS destinations.
  • Page 322 EVPN for MPLS Tunnels Advanced Configuration Guide - Part II Releases Up To 15.0.R5 3HE 13718 AAAA TQZZA 01 Issue: 01...
  • Page 323: Evpn For Mpls Tunnels In Epipe Services (Evpn-Vpws)

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Epipe Services (EVPN- Releases Up To 15.0.R5 VPWS) EVPN for MPLS Tunnels in Epipe Services (EVPN-VPWS) This chapter provides information about EVPN for MPLS Tunnels in Epipe Services (EVPN-VPWS). Topics in this chapter include: •...
  • Page 324 EVPN for MPLS Tunnels in Epipe Services (EVPN- Advanced Configuration Guide - Part II VPWS) Releases Up To 15.0.R5 Figure 44 shows the encoding of the required extensions for the route-types 1 and 4 for EVPN-VPWS. Figure 44 Route Types and NLRIs for EVPN-VPWS ES-Import Route Target ESI Label Extended Community EVPN NLRI Encoded in...
  • Page 325 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Epipe Services (EVPN- Releases Up To 15.0.R5 VPWS) MPLS label, and the Ethernet Segment ID (ESI) are encoded as for EVPN- MPLS. The MPLS label field is used as service label. In case of multi-homing, AD per-EVI routes containing the same ESI are used to provide aliasing and a backup path to the PEs part of the ES.
  • Page 326 EVPN for MPLS Tunnels in Epipe Services (EVPN- Advanced Configuration Guide - Part II VPWS) Releases Up To 15.0.R5 Figure 45 EVPN-VPWS Example Topology PE-2 PE-4 192.0.2.2 192.0.2.4 CE-20 MTU-1 MTU-6 192.0.2.1 192.0.2.6 CE-10 CE-60 PE-3 PE-5 192.0.2.3 192.0.2.5 25943 The example topology consists of six 7750 SR routers with the following initial configuration: •...
  • Page 327 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Epipe Services (EVPN- Releases Up To 15.0.R5 VPWS) exit exit exit The BGP configuration on the other PEs is as follows: configure router autonomous-system 64500 vpn-apply-import vpn-apply-export min-route-advertisement 1 enable-peer-tracking rapid-withdrawal split-horizon...
  • Page 328 EVPN for MPLS Tunnels in Epipe Services (EVPN- Advanced Configuration Guide - Part II VPWS) Releases Up To 15.0.R5 Figure 46 Example Topology for EVPN-VPWS without Multi-Homing SAP 1/2/1:1 Spoke-SDP460:1 Epipe 1 Epipe 1 Epipe 1 Epipe 1 Epipe 1 CE-20 CE-60 AC-PE-2-CE-20...
  • Page 329 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Epipe Services (EVPN- Releases Up To 15.0.R5 VPWS) eth-tag 46 exit remote-ac-name AC-PE-2-CE-20 eth-tag 220 exit evi 1 mpls auto-bind-tunnel resolution any exit no shutdown exit exit spoke-sdp 460:1 create exit no shutdown Where the following commands are relevant for the EVPN-VPWS configuration:...
  • Page 330 EVPN for MPLS Tunnels in Epipe Services (EVPN- Advanced Configuration Guide - Part II VPWS) Releases Up To 15.0.R5 The EVI values must be unique in the system, regardless of the type of service they are assigned to (Epipe or VPLS). −...
  • Page 331 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Epipe Services (EVPN- Releases Up To 15.0.R5 VPWS) target:64500:1 l2-attribute:MTU: 1514 C: 0 P: 0 B: 0 bgp-tunnel-encap:MPLS " The auto-derived RD is 192.0.2.1:1 and the RT is 64500:1. When the remote AC on PE-4 (spoke-SDP 460:1) is up, PE-2 receives the following BGP update from PE-4: 5 2017/05/08 05:49:31.98 UTC MINOR: DEBUG #2001 Base Peer 1: 192.0.2.4...
  • Page 332 EVPN for MPLS Tunnels in Epipe Services (EVPN- Advanced Configuration Guide - Part II VPWS) Releases Up To 15.0.R5 The MPLS label in the debug message is not the same as in the service, because the router will strip the extra four lowest bits to get the 20-bit MPLS label. The egress label for the EVPN-MPLS destination on PE-4 is 262138.
  • Page 333 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Epipe Services (EVPN- Releases Up To 15.0.R5 VPWS) Filter Tunnel Types: (Not Specified) =============================================================================== *A:PE-2# Note: Each PE will send its service MTU into the L2 MTU field in the L2-attribute in the AD per-EVI route for the Epipe service.
  • Page 334 EVPN for MPLS Tunnels in Epipe Services (EVPN- Advanced Configuration Guide - Part II VPWS) Releases Up To 15.0.R5 The following sections show the configuration of: • an all-active multi-homing ES with a LAG associated with it • a single-active multi-homing ES linked to an SDP Figure 47 shows the example topology has an all-active multi-homing ES "ESI-23"...
  • Page 335 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Epipe Services (EVPN- Releases Up To 15.0.R5 VPWS) esi 01:00:00:00:00:23:00:00:00:01 es-activation-timer 3 service-carving mode auto exit multi-homing all-active lag 1 no shutdown exit exit exit epipe 2 customer 1 create exit bgp-evpn local-ac-name AC-ESI-23-MTU-1...
  • Page 336 EVPN for MPLS Tunnels in Epipe Services (EVPN- Advanced Configuration Guide - Part II VPWS) Releases Up To 15.0.R5 target:00:00:00:00:23:00 " The target 00:00:00:00:23:00 in the extended community is derived from the ESI (bytes 2 to 7) and is only imported by the PEs that are part of the same ES; that is, PE-2 and PE-3 in this example.
  • Page 337 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Epipe Services (EVPN- Releases Up To 15.0.R5 VPWS) The ESI label is in the extended community, as well as the indication that the multi- homing is all-active. Epipe services do not require ESI labels because BUM traffic is not recognized as such in EVPN-VPWS services.
  • Page 338 EVPN for MPLS Tunnels in Epipe Services (EVPN- Advanced Configuration Guide - Part II VPWS) Releases Up To 15.0.R5 This route contains the flags for control word (C), primary (P), and backup (B). In all- active multi-homing, all nodes are primary (P=1). PE-4 has learned AD per-EVI/ES routes for ESI-23 from PE-2 and PE-3, as shown in the following output: *A:PE-4# show router bgp routes evpn auto-disc esi 01:00:00:00:00:23:00:00:00:01...
  • Page 339 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Epipe Services (EVPN- Releases Up To 15.0.R5 VPWS) =============================================================================== *A:PE-4# When ECMP > 1 on the ingress PE, multiple TEPs can correspond to a specific ESI (aliasing). In this case, ECMP=2 and PE-4 and PE-5 have two TEP addresses and Egress labels for ESI 01:00:00:00:00:23:00:00:00:01, as shown for PE-4: *A:PE-4# show service id 2 evpn-mpls esi 01:00:00:00:00:23:00:00:00:01 ========================================================...
  • Page 340 EVPN for MPLS Tunnels in Epipe Services (EVPN- Advanced Configuration Guide - Part II VPWS) Releases Up To 15.0.R5 No entries found =============================================================================== *A:PE-2# Similarly, on PE-3: *A:PE-3# show service system bgp-evpn ethernet-segment name "ESI-23" evi 2 =============================================================================== EVI DF and Candidate List =============================================================================== SvcId Actv Timer Rem...
  • Page 341 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Epipe Services (EVPN- Releases Up To 15.0.R5 VPWS) EVPN for MPLS Tunnels in Epipe Services with Single-Active Multi-Homing Single-active multi-homing allows for per-service load-balancing. Single-active multi- homing is configured on PE-4 and PE-5 with ES "ESI-45". Both PEs have an SDP to MTU-6, which is associated with the ES and to the Epipe service.
  • Page 342 EVPN for MPLS Tunnels in Epipe Services (EVPN- Advanced Configuration Guide - Part II VPWS) Releases Up To 15.0.R5 configure service sdp 56 mpls create far-end 192.0.2.6 no shutdown exit system bgp-evpn ethernet-segment "ESI-45" create esi 01:00:00:00:00:45:00:00:00:01 es-activation-timer 3 service-carving mode auto exit multi-homing single-active...
  • Page 343 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Epipe Services (EVPN- Releases Up To 15.0.R5 VPWS) Address Family EVPN NextHop len 4 NextHop 192.0.2.4 Type: EVPN-Eth-Seg Len: 23 RD: 192.0.2.4:0 ESI: 01:00:00:00:00:45:00:00:00:01, IP-Len: 4 Orig-IP-Addr: 192.0.2.4 Flag: 0x40 Type: 1 Len: 1 Origin: 0 Flag: 0x40 Type: 2 Len: 0 AS Path: Flag: 0x80 Type: 4 Len: 4 MED: 0 Flag: 0x40 Type: 5 Len: 4 Local Preference: 100...
  • Page 344 EVPN for MPLS Tunnels in Epipe Services (EVPN- Advanced Configuration Guide - Part II VPWS) Releases Up To 15.0.R5 Type: EVPN-AD Len: 25 RD: 192.0.2.4:2 ESI: 01:00:00:00:00:45:00:00:00:01, tag: 456 Label: 4194160 Flag: 0x40 Type: 1 Len: 1 Origin: 0 Flag: 0x40 Type: 2 Len: 0 AS Path: Flag: 0x80 Type: 4 Len: 4 MED: 0 Flag: 0x40 Type: 5 Len: 4 Local Preference: 100 Flag: 0x80 Type: 9 Len: 4 Originator ID: 192.0.2.4...
  • Page 345 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Epipe Services (EVPN- Releases Up To 15.0.R5 VPWS) LABEL 262135 u*>i 192.0.2.4:2 01:00:00:00:00:45:00:00:00:01 192.0.2.4 MAX-ET LABEL 0 u*>i 192.0.2.5:2 01:00:00:00:00:45:00:00:00:01 192.0.2.5 LABEL 262137 u*>i 192.0.2.5:2 01:00:00:00:00:45:00:00:00:01 192.0.2.5 MAX-ET LABEL 0 ------------------------------------------------------------------------------- Routes : 4 ===============================================================================...
  • Page 346 EVPN for MPLS Tunnels in Epipe Services (EVPN- Advanced Configuration Guide - Part II VPWS) Releases Up To 15.0.R5 TEP Address Egr Label Last Change Transport ------------------------------------------------------------------------------- 192.0.2.4 262135 05/08/2017 10:48:09 ------------------------------------------------------------------------------- Number of entries : 1 ------------------------------------------------------------------------------- =============================================================================== *A:PE-2# The DF election is key for the forwarding and backup functions in single-active multi- homing ESs.
  • Page 347 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Epipe Services (EVPN- Releases Up To 15.0.R5 VPWS) Flags : StandbyForMHProtocol Two consecutive DF elections take place: the first DF election includes all PEs in the ES for that Epipe and determines which PE is the primary PE (flags P=1, B=0). The second DF election excludes this DF and determines which PE is the backup (P=0, B=1).
  • Page 348 EVPN for MPLS Tunnels in Epipe Services (EVPN- Advanced Configuration Guide - Part II VPWS) Releases Up To 15.0.R5 Flag: 0x90 Type: 14 Len: 36 Multiprotocol Reachable NLRI: Address Family EVPN NextHop len 4 NextHop 192.0.2.5 Type: EVPN-AD Len: 25 RD: 192.0.2.5:2 ESI: 01:00:00:00:00:45:00:00:00:01, tag: 456 Label: 4194192 Flag: 0x40 Type: 1 Len: 1 Origin: 0 Flag: 0x40 Type: 2 Len: 0 AS Path:...
  • Page 349 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Epipe Services (EVPN- Releases Up To 15.0.R5 VPWS) ------------------------------------------------------------------------------- Number of entries : 1 ------------------------------------------------------------------------------- =============================================================================== *A:PE-2# This process is always revertive; as soon as the SDP 46 is operationally up again, a new DF election is triggered with two DF candidates and PE-4 will be elected as DF.
  • Page 350 EVPN for MPLS Tunnels in Epipe Services (EVPN- Advanced Configuration Guide - Part II VPWS) Releases Up To 15.0.R5 *A:PE-3# show router bgp routes evpn eth-seg =============================================================================== BGP Router ID:192.0.2.3 AS:64500 Local AS:64500 =============================================================================== Legend - Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid l - leaked, x - stale, >...
  • Page 351 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Epipe Services (EVPN- Releases Up To 15.0.R5 VPWS) =============================================================================== Service Id Egr Label ------------------------------------------------------------------------------- 262138 ------------------------------------------------------------------------------- =============================================================================== =============================================================================== BGP EVPN-MPLS Ethernet Segment Dest =============================================================================== Service Id Eth Seg Id Egr Label ------------------------------------------------------------------------------- 01:00:00:00:00:45:00:00:00:01...
  • Page 352 EVPN for MPLS Tunnels in Epipe Services (EVPN- Advanced Configuration Guide - Part II VPWS) Releases Up To 15.0.R5 MPLS-TEP VXLAN-TEP Total-TEP 1/ 16383 Mpls Dests (TEP, Egress Label + ES + ES-BMAC) Mpls Etree Leaf Dests Vxlan Dests (TEP, Egress VNI) Total-Dest 2/196607 Sdp Bind +...
  • Page 353: Evpn For Mpls Tunnels In Routed Vpls

    Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Routed VPLS Releases Up To 15.0.R5 EVPN for MPLS Tunnels in Routed VPLS This chapter provides information about EVPN for MPLS Tunnels in Routed VPLS. Topics in this chapter include: •...
  • Page 354 EVPN for MPLS Tunnels in Routed VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 All-active and single-active MH Ethernet segments (ESs) are supported in R-VPLS. When Ethernet Segments (ESs) are used along with R-VPLS services in two or more PEs, Passive VRRP provides an "anycast default gateway"...
  • Page 355 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Routed VPLS Releases Up To 15.0.R5 Figure 48 Passive VRRP - vMAC/vIP Advertised By GARP PE-2 PE-4 192.0.2.2 192.0.2.4 CE-41 LAG-1 CE-43 CE-11 EVPN tunnel EVI 200 MTU-1 192.0.2.1 ESI-23 PE-3 192.0.2.3...
  • Page 356 EVPN for MPLS Tunnels in Routed VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 • In case of ES failure, or in case of single-active MH if the traffic arrives at the non-Designated Forwarder (NDF) PE, the traffic will not be discarded at the peer ES PE.
  • Page 357 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Routed VPLS Releases Up To 15.0.R5 EVPN-MPLS R-VPLS without Multi-homing The first scenario describes R-VPLS support including IP route advertisement (BGP- EVPN route type 5) with EVPN tunnel interfaces, without multi-homing. VPLS 101 does not have any connected host, but the linked VPRN has SAP 1/2/1:10.
  • Page 358 EVPN for MPLS Tunnels in Routed VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The CEs are connected to SAP 1/2/1:10 in VPRN 10. R-VPLS 101 is bound to VPRN 10 and VPRN 10 has a dedicated interface "int-evi-100" for the EVPN tunnel. In general, if only one route-target (RT) is used for import and export in the EVPN- VPLS, it is good to add the EVI and have the route distinguisher (RD) and RT auto- derived from the EVI.
  • Page 359 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Routed VPLS Releases Up To 15.0.R5 The configuration is similar on PE-3. It is important that the RD is different on PE-2 and PE-3, but it is automatically the case when the RD is auto-derived from the configured EVI, as in the example.
  • Page 360 EVPN for MPLS Tunnels in Routed VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 =============================================================================== Route Table (Service: 10) =============================================================================== Dest Prefix[Flags] Type Proto Pref Next Hop[Interface Name] Metric ------------------------------------------------------------------------------- 172.16.2.0/24 Remote BGP EVPN 00h06m45s int-evi-101 (ET-16:0a:ff:ff:ff:a2) 172.16.3.0/24 Local Local...
  • Page 361 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Routed VPLS Releases Up To 15.0.R5 exit sap 1/2/1:16 create exit exit interface "int-evi-106" create ipv6 exit vpls "evi-106" evpn-tunnel exit exit no shutdown exit vpls 106 name "evi-106" customer 1 create allow-ip-int-bind exit exit...
  • Page 362 EVPN for MPLS Tunnels in Routed VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The IPv6 route-table on PE-3 is as follows: *A:PE-3# show router 16 route-table ipv6 =============================================================================== IPv6 Route Table (Service: 16) =============================================================================== Dest Prefix[Flags] Type Proto Pref...
  • Page 363 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Routed VPLS Releases Up To 15.0.R5 Figure 50 EVPN-MPLS R-VPLS with All-Active MH ES PE-2 PE-4 192.0.2.2 192.0.2.4 CE-41 172.16.20.41 2001:db8:16::20:41 LAG-1 CE-43 172.16.23.43 2001:db8:16::23:43 CE-11 172.16.20.11 EVPN tunnel EVI 200 CE-16 2001:db8:16::20:16 MTU-1...
  • Page 364 EVPN for MPLS Tunnels in Routed VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 exit exit All-active multi-homing Ethernet segment "ESI-23" is configured on PE-2 and PE-3, as follows: configure service system bgp-evpn ethernet-segment "ESI-23" create esi 01:00:00:00:00:23:00:00:00:01 es-activation-timer 3 service-carving mode auto...
  • Page 365 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Routed VPLS Releases Up To 15.0.R5 exit exit interface "int-evi-200" create ipv6 exit vpls "evi-200" evpn-tunnel exit exit router-advertisement interface "int-evi-202" use-virtual-mac no shutdown exit exit no shutdown exit vpls 200 customer 1 create allow-ip-int-bind exit...
  • Page 366 EVPN for MPLS Tunnels in Routed VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The IPv6 VRRP backup address is in the same subnet as the link local address of the interface "int-evi-202". The option dad-disable is configured on the link local address to disable Duplicate Address Detection (DAD) and set the IPv6 address as preferred.
  • Page 367 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Routed VPLS Releases Up To 15.0.R5 The three PEs advertise the same (anycast) vMAC/vIP in EVI 202 as protected, but each PE keeps its own MAC entry in the FDB. The following FDB shows that the source identifier for vMAC 00:00:5e:00:01:01 and vMAC 00:00:5e:00:02:01 is the CPM.
  • Page 368 EVPN for MPLS Tunnels in Routed VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Flag: 0xc0 Type: 16 Len: 24 Extended Community: target:64500:200 mac-nh:16:0c:ff:00:00:05 bgp-tunnel-encap:MPLS " The IP prefixes are advertised with next-hop equal to the EVPN-tunnel GW MAC "int- evi-200", as follows: *A:PE-4# show router 20 interface "int-evi-200"...
  • Page 369 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Routed VPLS Releases Up To 15.0.R5 The EVPN tunnel service VPLS 200 has all the MAC addresses of the EVPN interfaces within VPRN 20 as static (S) and protected (P), as follows: *A:PE-2# show service id "evi-200"...
  • Page 370 EVPN for MPLS Tunnels in Routed VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 int-evi-202 Master IPv6 Backup Addr: fe80::16:20:fe ------------------------------------------------------------------------------- Instances : 2 =============================================================================== *A:PE-3# *A:PE-4# show router 20 vrrp instance =============================================================================== VRRP Instances =============================================================================== Interface Name VR Id Own Adm State Base Pri...
  • Page 371 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Routed VPLS Releases Up To 15.0.R5 *A:PE-4# show router 20 route-table ipv6 =============================================================================== IPv6 Route Table (Service: 20) =============================================================================== Dest Prefix[Flags] Type Proto Pref Next Hop[Interface Name] Metric ------------------------------------------------------------------------------- 2001:db8:16::20:0/120 Local Local...
  • Page 372 EVPN for MPLS Tunnels in Routed VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Forwarding Database, Service 202 =============================================================================== ServId Source-Identifier Type Last Change ------------------------------------------------------------------------------- 00:00:01:00:00:11 eES: Evpn 07/13/17 12:20:04 01:00:00:00:00:23:00:00:00:01 00:00:01:00:00:16 eES: Evpn 07/13/17 12:20:10 01:00:00:00:00:23:00:00:00:01 00:00:04:00:00:41 sap:1/2/1:41 L/60 07/13/17 12:19:59...
  • Page 373 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Routed VPLS Releases Up To 15.0.R5 Figure 51 EVPN-MPLS R-VPLS with Single-active Multi-Homing PE-2 PE-4 192.0.2.2 192.0.2.4 CE-41 172.16.20.41 2001:db8:16::20:41 ESI-23 CE-43 172.16.23.43 2001:db8:16::23:43 CE-11 172.16.20.11 EVPN tunnel EVI 200 CE-16 2001:db8:16::20:16 MTU-1...
  • Page 374 EVPN for MPLS Tunnels in Routed VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 *A:PE-2>config>service# info ---------------------------------------------- system bgp-evpn ethernet-segment "ESI-23" create esi 01:00:00:00:00:23:00:00:00:01 es-activation-timer 3 service-carving mode auto exit multi-homing single-active sdp 21 no shutdown exit exit exit ---snip---...
  • Page 375 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Routed VPLS Releases Up To 15.0.R5 no shutdown exit exit no shutdown exit vpls 200 customer 1 create allow-ip-int-bind exit exit bgp-evpn ip-route-advertisement evi 200 vxlan shutdown exit mpls auto-bind-tunnel resolution any exit...
  • Page 376 EVPN for MPLS Tunnels in Routed VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 *A:PE-2# show service id 202 ethernet-segment No sap entries =============================================================================== SDP Ethernet-Segment Information =============================================================================== Eth-Seg Status ------------------------------------------------------------------------------- 21:20 ESI-23 =============================================================================== *A:PE-2# *A:PE-3# show service id 202 ethernet-segment No sap entries =============================================================================== SDP Ethernet-Segment Information...
  • Page 377 Advanced Configuration Guide - Part II EVPN for MPLS Tunnels in Routed VPLS Releases Up To 15.0.R5 When the SDP between MTU-1 and DF PE-2 goes down, traffic from CE-41 to CE- 11 is forwarded by PE-4 to DF PE-2. PE-2 cannot forward the packets to CE-11 directly, and will forward the packets to its ES peer PE-3.
  • Page 378 EVPN for MPLS Tunnels in Routed VPLS Advanced Configuration Guide - Part II Releases Up To 15.0.R5 3HE 13718 AAAA TQZZA 01 Issue: 01...
  • Page 379: Evpn For Pbb Over Mpls (Pbb-Evpn)

    Advanced Configuration Guide - Part II EVPN for PBB over MPLS (PBB-EVPN) Releases Up To 15.0.R5 EVPN for PBB over MPLS (PBB-EVPN) This chapter provides information about EVPN for PBB over MPLS (PBB-EVPN). Topics in this chapter include: • Applicability •...
  • Page 380 EVPN for PBB over MPLS (PBB-EVPN) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Table 5 EVPN and PBB-EVPN SR OS Feature Comparison (Continued) VPN requirements EVPN PBB-EVPN Comments Ethernet Local Area Network (E-LAN) and point-to-point E- Line services Inter-subnet-forwarding Allows combined Layer 2 / Layer 3 services.
  • Page 381 Advanced Configuration Guide - Part II EVPN for PBB over MPLS (PBB-EVPN) Releases Up To 15.0.R5 Figure 52 EVPN Route Types Inclusive Multicast EVPN NLRI Encoded in Ethernet Tag Route MP_REACH_NLRI/MP_UNREACH_NLRI Route Distinguisher (8 bytes) AFI=25 SAFI=70 (EVPN) Zero for default tree Ethernet Tag ID (4 bytes) ISID for per-ISID tree Route Type (1 byte)
  • Page 382 EVPN for PBB over MPLS (PBB-EVPN) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Configuration This example describes the basic PBB-EVPN configuration first (without multi- homing) and how the flood containment is handled in PBB-EVPN. Flood containment refers to the efficient distribution of the BUM traffic generated for an ISID. Networks are not always greenfield, so a smooth migration of PBB-EVPN from PBB- VPLS is required to minimize the effect on existing services.
  • Page 383 Advanced Configuration Guide - Part II EVPN for PBB over MPLS (PBB-EVPN) Releases Up To 15.0.R5 When configuring PBB-EVPN: • There is no difference at the access side (I-VPLS and Epipe configuration) compared to other PBB technologies supported in SR OS, such as Shortest Path Bridging for MAC (SPBM) or PBB-VPLS.
  • Page 384 EVPN for PBB over MPLS (PBB-EVPN) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 - no bgp-evpn [no] accept-ivpls-e* - Configure to accept non-zero ethernet-tag MAC routes and process for CMAC flushing [no] cfm-mac-advert* - Enable/disable the advertisement of MEP, MIP, and VMEP MAC addresses over the BGP EVPN [no] evi - EVPN Identifier...
  • Page 385 Advanced Configuration Guide - Part II EVPN for PBB over MPLS (PBB-EVPN) Releases Up To 15.0.R5 Flood Containment for I-VPLS Services In general, PBB technologies in SR OS support a way to contain flooding for a specified I-VPLS ISID, so that BUM traffic for that ISID only reaches the PEs where the ISID is locally defined.
  • Page 386 EVPN for PBB over MPLS (PBB-EVPN) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 54 PBB-EVPN — Flooding Lists EVPN Destinations PE-2 PE-3 PE-1 ISID-1001 I-VPLS PE-4 B-VPLS 1000 PE-5 PE-6 (BGP-AD) PE-7 VPLS Destinations al_0848 In this situation, PE-1 creates two flooding lists in B-VPLS 1000: •...
  • Page 387 Advanced Configuration Guide - Part II EVPN for PBB over MPLS (PBB-EVPN) Releases Up To 15.0.R5 source-bmac 00:00:00:00:00:02 exit exit bgp-evpn evi 1000 mpls auto-bind-tunnel resolution any exit no shutdown exit exit no shutdown *A:PE-2# show service id 1000 mfib =============================================================================== Multicast FIB, Service 1000 ===============================================================================...
  • Page 388 EVPN for PBB over MPLS (PBB-EVPN) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 192.0.2.4 262130 192.0.2.5 262132 ------------------------------------------------------------------------- The MFIB on PE-2 does not contain any entries for ISID 1001 anymore, as follows: *A:PE-2# show service id 1000 mfib =============================================================================== Multicast FIB, Service 1000 ===============================================================================...
  • Page 389 Advanced Configuration Guide - Part II EVPN for PBB over MPLS (PBB-EVPN) Releases Up To 15.0.R5 Initial Configuration Initially, the network is configured for PBB-VPLS with BGP-AD in B-VPLS 1000. The EVPN family is to be added. At the access, I-VPLS 1001 is connected to the CEs. As an example, the configuration in PE-3 is shown.
  • Page 390 EVPN for PBB over MPLS (PBB-EVPN) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 exit exit sap 1/2/1:1001 create exit no shutdown exit *A:PE-3# show service id 1000 base =============================================================================== Service Basic Information =============================================================================== Service Id : 1000 Vpn Id Service Type : b-VPLS...
  • Page 391 Advanced Configuration Guide - Part II EVPN for PBB over MPLS (PBB-EVPN) Releases Up To 15.0.R5 Note: When the service>split-horizon-group is removed, an eval-pw-template must be performed. Note: After adding the split-horizon-group at the service level, an eval-pw-template must be performed again so that the SDP-bindings take the new SHG configuration. Note: During the time between the split-horizon-group being removed and added back again, the SDP-bindings can forward BUM traffic to each other, so this operation must be done carefully to avoid loops.
  • Page 392 EVPN for PBB over MPLS (PBB-EVPN) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 exit bgp-ad vpls-id 64500:1000 no shutdown exit shutdown exit no shutdown Step 2. Add BGP-EVPN and ISID-policy configuration to the B-VPLS. After the B-VPLS is configured with the split horizon group, the BGP-EVPN configuration and ISID-policy can be added (still in shutdown), as follows.
  • Page 393 Advanced Configuration Guide - Part II EVPN for PBB over MPLS (PBB-EVPN) Releases Up To 15.0.R5 3 2017/05/05 10:58:50.21 UTC MINOR: DEBUG #2001 Base Peer 1: 192.0.2.2 "Peer 1: 192.0.2.2: UPDATE Peer 1: 192.0.2.2 - Received BGP UPDATE: Withdrawn Length = 0 Total Path Attr Length = 117 Flag: 0x90 Type: 14 Len: 47 Multiprotocol Reachable NLRI: Address Family EVPN...
  • Page 394 EVPN for PBB over MPLS (PBB-EVPN) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 =============================================================================== * indicates that the corresponding row element may have been truncated. The reason why the spoke SDP toward PE-5 is down is an EVPN route conflict: *A:PE-3# show service id 1000 sdp 17405:4294967293 detail | match Flag context all Flags...
  • Page 395 Advanced Configuration Guide - Part II EVPN for PBB over MPLS (PBB-EVPN) Releases Up To 15.0.R5 192.0.2.5 262132 05/05/2017 10:58:50 ------------------------------------------------------------------------------- Number of entries : 3 ------------------------------------------------------------------------------- =============================================================================== The routes for ISID 1001 are valid and used by BGP (flags u*>i): *A:PE-3# show router bgp routes evpn inclusive-mcast tag 1001 =============================================================================== BGP Router ID:192.0.2.3...
  • Page 396 EVPN for PBB over MPLS (PBB-EVPN) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 After removing the ISID-policy, the MFIB is populated with entries for the ISID 1001 group BMAC to the three remote PEs where ISID 1001 is defined: *A:PE-3# show service id 1000 mfib ===============================================================================...
  • Page 397 Advanced Configuration Guide - Part II EVPN for PBB over MPLS (PBB-EVPN) Releases Up To 15.0.R5 BGP-AD is disabled as follows: *A:PE-4# configure service vpls 1000 bgp-ad shutdown After BGP-AD is shutdown, the spoke SDP bindings are deleted. 175 2017/05/05 12:41:55.27 UTC MINOR: SVCMGR #2306 Base "Status of SDP Bind 17407:4294967295 in service 1000 (customer 1) changed to admin=down oper=down flags=sdpBindAdminDown noIngressVcLabel noEgressVcLabel "...
  • Page 398 EVPN for PBB over MPLS (PBB-EVPN) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 4. If no manual/auto-rd/vpls-id/evi configuration, there will not be RD and the service will fail. If in the migration from BGP-AD to BGP-EVPN, the advertisement of new updates is not needed, the initial configuration must include manual/auto-RDs.
  • Page 399 Advanced Configuration Guide - Part II EVPN for PBB over MPLS (PBB-EVPN) Releases Up To 15.0.R5 MTU-1 and MTU-6 have been added to the network (compared to Figure 53). I-VPLS 1001 has two new sites that are multi-homed to the PBB-EVPN network. MTU-1 uses all-active multi-homing, whereas MTU-6 is connected to a single-active ES.
  • Page 400 EVPN for PBB over MPLS (PBB-EVPN) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 • If source-bmacs are used, as shown on the left-hand side of Figure 56, in the case of ES failure, a BGP update with higher sequence number is issued by PE- 1 and the remote PE-3 flushes all the CMACs associated with the source- bmac.
  • Page 401 Advanced Configuration Guide - Part II EVPN for PBB over MPLS (PBB-EVPN) Releases Up To 15.0.R5 As an example, the configurations of the first, and last two, rows (LAG SAP all-active, MPLS source-BMAC, and MPLS ES-BMAC, respectively) will be discussed in the following three sections.
  • Page 402 EVPN for PBB over MPLS (PBB-EVPN) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 exit no shutdown exit vpls 1001 customer 1 i-vpls create backbone-vpls 1000 exit exit sap lag-1:1001 create exit no shutdown exit epipe 1003 customer 1 create tunnel 1000 backbone-dest-mac "PE-5"...
  • Page 403 Advanced Configuration Guide - Part II EVPN for PBB over MPLS (PBB-EVPN) Releases Up To 15.0.R5 ecmp 2 auto-bind-tunnel resolution any exit no shutdown exit exit no shutdown exit vpls 1001 customer 1 i-vpls create backbone-vpls 1000 exit exit sap 1/2/1:1001 create exit sap lag-1:1001 create exit...
  • Page 404 EVPN for PBB over MPLS (PBB-EVPN) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The es-bmac-table-size parameter modifies the default value (8) for the maximum number of ES-BMACs that can be associated with the Ethernet-segment across different B-VPLS services. When source-bmac-lsb is configured, the associated es-bmac-table-size is reserved out of the total FDB space.
  • Page 405 Advanced Configuration Guide - Part II EVPN for PBB over MPLS (PBB-EVPN) Releases Up To 15.0.R5 On PE-2, the FDB for B-VPLS 1000 has an entry for each of the other PEs. PEs do not show their own system BMACs in the FDB: *A:PE-2# show service id 1000 fdb detail =============================================================================== Forwarding Database, Service 1000...
  • Page 406 EVPN for PBB over MPLS (PBB-EVPN) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 On PE-4, there are two BGP routes for ES-BMAC 00:00;00;00:12:12: one with next hop PE-2 and the other with next hop PE-3, as follows: *A:PE-4# show router bgp routes evpn mac mac-address 00:00:00:00:12:12 =============================================================================== BGP Router ID:192.0.2.4...
  • Page 407 Advanced Configuration Guide - Part II EVPN for PBB over MPLS (PBB-EVPN) Releases Up To 15.0.R5 DF Candidates Time Added ------------------------------------------------------------------------------- 192.0.2.2 05/05/2017 16:35:01 192.0.2.3 05/05/2017 16:34:59 ------------------------------------------------------------------------------- Number of entries: 2 =============================================================================== The DF PE identifies multicast traffic by looking at either the destination BMAC or the EVPN label (which can be unicast or multicast).
  • Page 408 EVPN for PBB over MPLS (PBB-EVPN) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 =============================================================================== BGP EVPN-MPLS Dest =============================================================================== TEP Address Egr Label Num. MACs Mcast Last Change Transport ------------------------------------------------------------------------------- 192.0.2.2 262134 05/05/2017 12:06:35 192.0.2.3 262136 05/05/2017 12:06:35 192.0.2.5 262142 05/05/2017 12:06:35...
  • Page 409 Advanced Configuration Guide - Part II EVPN for PBB over MPLS (PBB-EVPN) Releases Up To 15.0.R5 Number of entries : 2 ------------------------------------------------------------------------------- =============================================================================== A similar output will be obtained in PE-5. Unicast traffic entering I-VPLS 1001 in either PE-4 or PE-5 will be hashed and load-balanced to PE-2 and PE-3 if the destination CMAC lookup yields an es-bmac-dest: *A:PE-5# show service id 1001 fdb detail pbb ==============================================================================...
  • Page 410 EVPN for PBB over MPLS (PBB-EVPN) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 PBB-EVPN Single-Active Multi-Homing for I-VPLS with source-bmacs ESI-34 is a single-active Ethernet-segment (see Figure 55) with SDPs linked to it. As indicated in Table 6, only I-VPLS services can be used in this configuration.
  • Page 411 Advanced Configuration Guide - Part II EVPN for PBB over MPLS (PBB-EVPN) Releases Up To 15.0.R5 backbone-vpls 1000 exit exit spoke-sdp 46:1001 create exit no shutdown exit The configuration on PE-5 is similar: configure service sdp 56 mpls create far-end 192.0.2.6 no shutdown exit system...
  • Page 412 EVPN for PBB over MPLS (PBB-EVPN) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 exit sap 1/2/1:1001 create exit spoke-sdp 56:1001 create exit no shutdown exit With the preceding configuration, PE-4 and PE-5 will not advertise ES-BMACs with MAX-ESI.
  • Page 413 Advanced Configuration Guide - Part II EVPN for PBB over MPLS (PBB-EVPN) Releases Up To 15.0.R5 In the preceding example, the DF for ISID 1001 is PE-5. With a failure event on the SDP to MTU-6, PE-5 will not withdraw the advertised source-BMAC (because it is still being used as source-BMAC for other services and even CEs within the same service).
  • Page 414 EVPN for PBB over MPLS (PBB-EVPN) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 PBB-EVPN Single-Active Multi-Homing for I-VPLS with ES- BMACs As discussed throughout this chapter, the use of ES-BMACs for single-active multi- homing can minimize the number of CMACs flushed in a network. A simple change is necessary: activate the use-es-bmac command and ensure that the generated ES-BMACs in PE-4 and PE-5 are different (the source-bmac-lsb in the previous configuration had different values for PE-4 and PE-5 already):...
  • Page 415 Advanced Configuration Guide - Part II EVPN for PBB over MPLS (PBB-EVPN) Releases Up To 15.0.R5 The benefit is that in case of a failure in ESI-34 (as before) the ES-BMAC is withdrawn and the remote PEs will only flush the CMACs associated with the remote ES-34, as opposed to all the CMACs associated with PE-5.
  • Page 416 EVPN for PBB over MPLS (PBB-EVPN) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Troubleshooting and Debug Commands When troubleshooting PBB-EVPN networks, most of the troubleshooting commands discussed in EVPN for MPLS Tunnels can be used in the B-VPLS service and the base service>system>bgp-evpn instance.
  • Page 417 Advanced Configuration Guide - Part II EVPN for PBB over MPLS (PBB-EVPN) Releases Up To 15.0.R5 Service Manager VPLS PBB MFIB statistics at 05/05/2017 13:19:21: Usage per Service ServiceId MFIB User Count ------------+--------------+------- 1000 Evpn ------------+--------------+------- Total MMRP Current Usage System Limit 8191 Full, 40959 ESOnly Per Service Limit :...
  • Page 418 EVPN for PBB over MPLS (PBB-EVPN) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 3HE 13718 AAAA TQZZA 01 Issue: 01...
  • Page 419: Applicability

    Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 2) Releases Up To 15.0.R5 EVPN for VXLAN Tunnels (Layer 2) This chapter provides information about Ethernet Virtual Private Network (EVPN) for Virtual eXtensible Local Area Network (VXLAN) tunnels in VPLS services. Topics in this chapter include: •...
  • Page 420 EVPN for VXLAN Tunnels (Layer 2) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 • VXLAN supports multi-pathing scalability through ECMP. VXLAN uses the outer source UDP port as an entropy field that can be used by the core IP routers to balance the load across different paths.
  • Page 421 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 2) Releases Up To 15.0.R5 One of the main applications for EVPN-VXLAN services in SR OS is the Data Center Gateway (DC GW) function. In such an application, EVPN and VXLAN are expected to be used within the data center and VPLS SDP-bindings or SAPs are expected to be used for the connectivity to the WAN.
  • Page 422 EVPN for VXLAN Tunnels (Layer 2) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 58 EVPN-VXLAN Example Topology PE-2 PE-4 192.0.2.2 192.0.2.4 PE-1 PE-6 192.0.2.1 192.0.2.6 BGP-MH site-1 PE-3 PE-5 BGP-MH 192.0.2.3 192.0.2.5 CE-1 CE-6 site-2 172.16.0.1/24 172.16.0.6/24 00:00:01:01:01:01 00:00:06:06:06:06...
  • Page 423 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 2) Releases Up To 15.0.R5 • LDP is used as the MPLS protocol to signal transport tunnel labels among PE- 2, PE-3, PE-4 and PE-5. There is no LDP running in the two overlay networks. •...
  • Page 424 EVPN for VXLAN Tunnels (Layer 2) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 peer-as 64500 neighbor 192.0.2.1 exit neighbor 192.0.2.3 exit exit group "WAN" family l2-vpn peer-as 64500 neighbor 192.0.2.4 exit neighbor 192.0.2.5 exit exit exit The BGP configuration on PE-3 is as follows: configure router autonomous-system 64500...
  • Page 425 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 2) Releases Up To 15.0.R5 Figure 59 BGP Adjacencies and Enabled Families PE-4 PE-2 192.0.2.4 192.0.2.2 L2VPN L2VPN L2VPN EVPN EVPN PE-1 PE-6 L2VPN 192.0.2.1 192.0.2.6 EVPN EVPN L2VPN L2VPN EVPN EVPN...
  • Page 426 EVPN for VXLAN Tunnels (Layer 2) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 • The VNI is a 24-bit identifier with valid values in the [1..16777215] range. This defines the VNI that SR OS will use in the EVPN routes generated for the VPLS service, and therefore the VNI that the system expects to see in the VXLAN packets destined to that particular VPLS service.
  • Page 427 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 2) Releases Up To 15.0.R5 =============================================================================== VXLAN Tunnel Endpoints (VTEPs) =============================================================================== VTEP Address Number of Egress VNIs Oper State ------------------------------------------------------------------------------- 192.0.2.2 192.0.2.3 ------------------------------------------------------------------------------- Number of VTEPs: 2 ------------------------------------------------------------------------------- =============================================================================== *A:PE-1# To actually see this output, the VPLS service needs to be configured on all PEs, with import and export policy “vsi-policy-1”...
  • Page 428 EVPN for VXLAN Tunnels (Layer 2) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 split-horizon-group "CORE" no shutdown exit no shutdown On PE-3: configure service pw-template 1 create exit vpls 1 customer 1 create vxlan vni 1 create exit route-distinguisher 192.0.2.3:1 vsi-export "vsi-policy-1"...
  • Page 429 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 2) Releases Up To 15.0.R5 • In this example, BGP-AD spoke-SDPs are auto-instantiated using pw- template-binding 1 split-horizon-group “CORE”. − This requires the creation of the pw-template 1 (config>service>pw- template 1 create).
  • Page 430 EVPN for VXLAN Tunnels (Layer 2) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 exit commit Once PE-2 and PE-3 are configured as shown, they will set up the spoke SDPs and will run the DF election algorithm to determine the operational status of those spoke SDPs.
  • Page 431 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 2) Releases Up To 15.0.R5 *A:PE-2# show service id 1 vxlan =============================================================================== Vxlan Src Vtep IP: N/A =============================================================================== VPLS VXLAN, Ingress VXLAN Network Id: 1 Creation Origin: manual Assisted-Replication: none RestProtSrcMacAct: none =============================================================================== VPLS VXLAN service Network Specifics...
  • Page 432 EVPN for VXLAN Tunnels (Layer 2) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Flags : StandbyForMHProtocol Flags : StandbyForMHProtocol PWPeerFaultStatusBits EvpnRouteConflict Flags : None MAC Learning and unknown-mac-route Once the VPLS service (VPLS 1) is configured, the network allows the CEs to exchange unicast and BUM traffic over the overlay and VPLS-MPLS service infrastructure.
  • Page 433 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 2) Releases Up To 15.0.R5 ------------------------------------------------------------------------------- No. of MAC Entries: 3 ------------------------------------------------------------------------------- Legend: L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf =============================================================================== *A:PE-1# When a frame destined to 00:00:03:03:03:03 enters SAP 1/2/1:1, it is encapsulated into a VXLAN packet with outer destination IP 192.0.2.3 and VNI 1, and sent on the wire.
  • Page 434 EVPN for VXLAN Tunnels (Layer 2) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 • When unknown-mac-route is configured, it will only be generated when: a) no BGP-MH site is configured within the same VPLS service or b) a site is configured and the site is DF (Designated Forwarder) in the PE.
  • Page 435 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 2) Releases Up To 15.0.R5 − The status of the spoke SDPs in the data VPLS services depends on the status of the operational group. If there is a DF switchover in VPLS 1 and VPLS 1 spoke SDPs go down on PE-2, all the spoke SDPs in all the data VPLS services controlled by “control-vpls-1”...
  • Page 436 EVPN for VXLAN Tunnels (Layer 2) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Use of Proxy-ARP in EVPN-VXLAN Services EVPN-VXLAN services support proxy-ARP functionality that is enabled by the proxy-arp [no] shutdown command. The default value is shutdown. When proxy- arp is enabled: •...
  • Page 437 DC GW in a Nuage architecture, the Nuage Networks Virtual Services Controller (VSC) or Virtual Services Gateway (VSG) will send virtual machine and host MAC/IP pairs in EVPN MAC routes. See the Nokia Nuage documentation for more information about the Nuage DC architecture. The 7x50 DC GW will populate the proxy-ARP tables with those MAC/IP pairs.
  • Page 438 EVPN for VXLAN Tunnels (Layer 2) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 MAC Mobility, MAC Duplication, and MAC Protection in EVPN MAC mobility, duplication and protection are fully supported as specified in draft-ietf- l2vpn-evpn. Figure 60 illustrates the concept of mobility (Virtual Machine VM-1 moves from PE-1 to PE-3).
  • Page 439 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 2) Releases Up To 15.0.R5 However, if MAC 00:00:01:01:01:01 is constantly learned on the PE-1 and PE-3 SAPs, the preceding process causes an endless exchange of MAC route advertisements and withdraws that has a negative impact on all the PEs in the EVPN network.
  • Page 440 EVPN for VXLAN Tunnels (Layer 2) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Total Path Attr Length = 96 Flag: 0x90 Type: 14 Len: 44 Multiprotocol Reachable NLRI: Address Family EVPN NextHop len 4 NextHop 192.0.2.3 Type: EVPN-MAC Len: 33 RD: 192.0.2.3:1 ESI: ESI-0, tag: 0, mac len: 48 mac: 00:00:01:01:01:01, IP len: 0, IP: NULL, label1: 1 Flag: 0x40 Type: 1 Len: 1 Origin: 0 Flag: 0x40 Type: 2 Len: 0 AS Path:...
  • Page 441 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 2) Releases Up To 15.0.R5 • The MAC is flushed due to a local event (SAP/SDP-binding associated to the MAC fails) or the reception of a remote withdraw for the MAC (due to a MAC flush at the remote 7x50) or •...
  • Page 442 EVPN for VXLAN Tunnels (Layer 2) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 ------------------------------------------------------------------------------- Legend: L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf =============================================================================== On the receiving PE: *A:PE-3# show service id 1 fdb detail =============================================================================== Forwarding Database, Service 1 =============================================================================== ServId Source-Identifier...
  • Page 443 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 2) Releases Up To 15.0.R5 Route Dist. : 192.0.2.1:1 Mac Address : 00:00:05:05:05:05 MPLS Label1 : VNI 1 MPLS Label2 : N/A Route Tag Neighbor-AS : N/A Orig Validation: N/A Source Class Dest Class Add Paths Send : Default...
  • Page 444 EVPN for VXLAN Tunnels (Layer 2) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 *A:PE-3# show router bgp routes evpn - evpn <evpn-type> auto-disc - Display BGP EVPN Auto-Disc Routes eth-seg - Display BGP EVPN Eth-Seg Routes inclusive-mcast - Display BGP EVPN Inclusive-Mcast Routes ip-prefix - Display BGP EVPN IPv4-Prefix Routes ipv6-prefix...
  • Page 445 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 2) Releases Up To 15.0.R5 u*>i 192.0.2.2:1 00:00:00:00:00:00 ESI-0 Seq:0 192.0.2.2 VNI 1 u*>i 192.0.2.2:2 00:00:00:00:00:00 ESI-0 Seq:0 192.0.2.2 VNI 2 ------------------------------------------------------------------------------- Routes : 3 =============================================================================== *A:PE-3# The tools dump service id vxlan displays the number of times a service could not add a VXLAN binding or <VTEP, Egress VNI>...
  • Page 446 EVPN for VXLAN Tunnels (Layer 2) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Sdp Bind + Evpn Dests 9/245759 ES L2/L3 PBR 0/ 32767 Evpn Etree Remote BUM Leaf Labels *A:PE-3# tools dump service vxlan dup-vtep-egrvni Duplicate VTEP, Egress VNI usage attempts at 05/03/2017 10:38:32: 1.
  • Page 447 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 3) Releases Up To 15.0.R5 EVPN for VXLAN Tunnels (Layer 3) This chapter provides information about EVPN for VXLAN tunnels (Layer 3). Topics in this chapter include: • Applicability •...
  • Page 448 EVPN for VXLAN Tunnels (Layer 3) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 • EVPN-VXLAN in R-VPLS services • EVPN-VXLAN in Integrated Routing Bridging (IRB) backhaul R-VPLS services • EVPN-VXLAN in EVPN tunnel R-VPLS services In all these scenarios, redundant PEs are usually deployed. If that is the case, the interaction of EVPN, IP-VPN, and the Routing Table Manager (RTM) may lead to some routing loop situations that must be avoided by the use of routing policies (this also may happen in traditional IP-VPN deployments when eBGP and MP-BGP...
  • Page 449 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 3) Releases Up To 15.0.R5 Figure 61 EVPN-VXLAN for R-VPLS Services PE-2 PE-4 192.0.2.2 192.0.2.4 00:ca:fe:ca:fe:02 00:ca:fe:ca:fe:04 PE-1 PE-6 VPLS 101 VPRN VPRN VPLS 101 192.0.2.6 192.0.2.1 VRRP-1 VRRP-1 IP-VPN MPLS VPLS 101 VPLS 101...
  • Page 450 EVPN for VXLAN Tunnels (Layer 3) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 • The six PEs are running IS-IS for the global routing table with the four core PEs interconnected using IS-IS Level-2 point-to-point interfaces and each overlay network using IS-IS Level-1 point-to-point interfaces.
  • Page 451 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 3) Releases Up To 15.0.R5 rapid-update evpn group "DC" family vpn-ipv4 evpn peer-as 64500 neighbor 192.0.2.1 exit neighbor 192.0.2.3 exit exit group "WAN" family vpn-ipv4 peer-as 64500 neighbor 192.0.2.4 exit neighbor 192.0.2.5 exit...
  • Page 452 EVPN for VXLAN Tunnels (Layer 3) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 62 BGP adjacencies and enabled families PE-2 PE-4 192.0.2.2 192.0.2.4 VPN-IPv4 VPN-IPv4 EVPN VPN-IPv4 VPN-IPv4 EVPN PE-1 PE-6 VPN-IPv4 VPN-IPv4 192.0.2.1 192.0.2.6 EVPN EVPN VPN-IPv4 VPN-IPv4...
  • Page 453 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 3) Releases Up To 15.0.R5 route-distinguisher 192.0.2.2:101 route-target export target:64500:101 import target:64500:101 exit bgp-evpn vxlan no shutdown exit exit service-name "evi-101" no shutdown exit vprn 10 customer 1 create ecmp 2 route-distinguisher 192.0.2.2:10 auto-bind-tunnel...
  • Page 454 EVPN for VXLAN Tunnels (Layer 3) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 no shutdown exit exit service-name "evi-101" sap 1/2/1:101 create exit no shutdown exit vprn 10 customer 1 create ecmp 2 route-distinguisher 192.0.2.3:10 auto-bind-tunnel resolution-filter exit resolution filter exit...
  • Page 455 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 3) Releases Up To 15.0.R5 *A:PE-2# configure service vpls 101 proxy-arp no shutdown MINOR: SVCMGR #8007 Cannot modify proxy arp - service is routed When configuring VPRN 10 on PE-2 and PE-3, the following considerations must be taken into account: •...
  • Page 456 EVPN for VXLAN Tunnels (Layer 3) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 192.0.2.3:101 00:ca:fe:ca:fe:53 vxlan: EvpnS 05/03/17 12:07:27 192.0.2.3:101 00:ca:fe:ca:fe:54 vxlan: EvpnS 05/03/17 12:07:15 192.0.2.2:101 ------------------------------------------------------------------------------- No. of MAC Entries: 5 ------------------------------------------------------------------------------- Legend: L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf =============================================================================== The VPRN 10 VRRP instances on PE-2 are the following: *A:PE-2# show router 10 vrrp instance...
  • Page 457 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 3) Releases Up To 15.0.R5 EVPN-VXLAN in IRB Backhaul R-VPLS Services Figure 63 illustrates the second inter-subnet forwarding scenario, where Layer 3 connectivity must be provided not only between the overlay networks but also within each overlay network.
  • Page 458 EVPN for VXLAN Tunnels (Layer 3) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 service vprn 20 customer 1 create route-distinguisher 192.0.2.1:20 vrf-target target:64500:20 interface "int-evi-201" create address 172.16.0.1/24 vpls "evi-201" exit exit interface "int-PE-1-CE-1" create address 172.16.1.254/24 sap 1/2/1:20 create exit exit...
  • Page 459 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 3) Releases Up To 15.0.R5 configure service vpls 201 customer 1 create allow-ip-int-bind exit vxlan vni 201 create exit route-distinguisher 192.0.2.2:201 route-target export target:64500:201 import target:64500:201 exit bgp-evpn ip-route-advertisement vxlan no shutdown exit...
  • Page 460 EVPN for VXLAN Tunnels (Layer 3) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 sap 1/2/1:20 create exit no shutdown As shown in the CLI excerpt, the configuration in the three nodes (PE-1/2/3) for VPLS 201 and VPRN 20 is very similar. The main difference is the auto-bind-tunnel command existing in PE-2/3’s VPRN 20.
  • Page 461 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 3) Releases Up To 15.0.R5 Next Hop[Interface Name] Metric ------------------------------------------------------------------------------- 172.16.0.0/24 Local Local 23h57m48s int-evi-201 172.16.1.0/24 Local Local 23h57m35s int-PE-1-CE-1 172.16.2.0/24 Remote BGP EVPN 00h00m17s 172.16.0.2 172.16.6.0/24 Remote BGP EVPN 00h00m17s 172.16.0.2 -------------------------------------------------------------------------------...
  • Page 462 EVPN for VXLAN Tunnels (Layer 3) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 =============================================================================== The routing table on PE-3 is as follows: *A:PE-3# show router 20 route-table =============================================================================== Route Table (Service: 20) =============================================================================== Dest Prefix[Flags] Type Proto Pref Next Hop[Interface Name] Metric...
  • Page 463 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 3) Releases Up To 15.0.R5 • Only VPRN interface primary addresses are advertised as GW-IP in EVPN IP prefix routes. Secondary addresses are never sent as GW-IP addresses. • EVPN IP prefixes are advertised by default as soon as the ip-route- advertisement command is enabled and there are active IP prefixes in the attached VPRN routing table.
  • Page 464 EVPN for VXLAN Tunnels (Layer 3) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 =============================================================================== Dest Prefix[Flags] Type Proto Pref Next Hop[Interface Name] Active Metric ------------------------------------------------------------------------------- 172.16.0.0/24 Local Local 01d04h18m int-evi-201 172.16.0.1/32 Local Host 01d04h18m int-evi-201 172.16.1.0/24 Local Local 01d04h17m int-PE-1-CE-1...
  • Page 465 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 3) Releases Up To 15.0.R5 • ECMP is fully supported for the VPRN for EVPN IP prefix routes coming from different GW-IP next-hops. However, ECMP is not supported for IP prefixes routes belonging to different owners (EVPN and IP-VPN).
  • Page 466 EVPN for VXLAN Tunnels (Layer 3) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 hosts in subnet 172.16.1.0/24 (for example, CE-1) sending packets to subnets 172.16.2.0/24 or 172.16.6.0/24. In some cases, the R-VPLS where EVPN-VXLAN is enabled does not need to provide intra-subnet connectivity and it is purely a transit or backhaul service where VPRN IRB interfaces are connected.
  • Page 467 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 3) Releases Up To 15.0.R5 service vprn 30 customer 1 create route-distinguisher 192.0.2.1:30 vrf-target target:64500:30 interface "int-PE-1-CE-1" create address 172.16.0.254/24 sap 1/1/1:30 create exit exit interface "int-evi-301" create vpls "evi-301" evpn-tunnel exit exit...
  • Page 468 EVPN for VXLAN Tunnels (Layer 3) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 service vpls 301 customer 1 create allow-ip-int-bind exit vxlan vni 301 create exit route-distinguisher 192.0.2.2:301 route-target export target:64500:301 import target:64500:301 exit bgp-evpn ip-route-advertisement vxlan no shutdown exit exit...
  • Page 469 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 3) Releases Up To 15.0.R5 As shown in the preceding output, the configuration in the three nodes (PE-1/2/3) for VPLS 301 and VPRN 30 is similar to the configuration of VPLS 201 and VPRN 20 in the previous scenario, however, when the evpn-tunnel command is added to the VPRN interface, there is no need to configure an IP interface address.
  • Page 470 EVPN for VXLAN Tunnels (Layer 3) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 − When a route-type 2 that includes an IP address is received and it becomes active, the MAC/IP information is added to the FDB and ARP tables. This can be checked with the show>router>arp command and the show>service>id>fdb detail command.
  • Page 471 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 3) Releases Up To 15.0.R5 S = Sticky ECMP requested =============================================================================== The same routing policies are applied on the core PEs to prevent loops; see of Routing Policies to Avoid Routing Loops in Redundant PEs.
  • Page 472 EVPN for VXLAN Tunnels (Layer 3) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Flag: 0x40 Type: 1 Len: 1 Origin: 0 Flag: 0x40 Type: 2 Len: 0 AS Path: Flag: 0x80 Type: 4 Len: 4 MED: 0 Flag: 0x40 Type: 5 Len: 4 Local Preference: 100 Flag: 0xc0 Type: 16 Len: 24 Extended Community: target:64500:301...
  • Page 473 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 3) Releases Up To 15.0.R5 Static ARP Entries Dynamic ARP Entries Managed ARP Entries Internal ARP Entries : 0 BGP-EVPN ARP Entries : 1 ------------------------------------------------------------ No. of ARP Entries ============================================================ The number of BGP-EVPN ARP entries in the show router 30 arp summary command matches the number of remote valid GW-MACs for VPRN 30.
  • Page 474 EVPN for VXLAN Tunnels (Layer 3) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Figure 65 Routing Policies for Egress EVPN Routes BGP Peer EVPN Export RIB-OUT Policy Static BGP Peer RTM routes sent to EVPN (ECMP EVPN supported) group “1”...
  • Page 475 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 3) Releases Up To 15.0.R5 Figure 66 Routing Policies for Ingress EVPN Routes BGP Peer Route EVPN Import Selection RIB-IN Policy Static BGP Peer RTM routes EVPN sent to RTM RTM signals the used group “1”...
  • Page 476 EVPN for VXLAN Tunnels (Layer 3) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Use of Routing Policies to Avoid Routing Loops in Redundant PEs When redundant PE VPRN instances are connected to the same R-VPLS service (IRB backhaul or EVPN tunnel R-VPLS) with the ip-route-advertisement command enabled, routing loops can occur in two different use-cases: 1.
  • Page 477 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 3) Releases Up To 15.0.R5 Routing policies are applied to PE-2 and PE-3 (also to PE-4 and PE-5) and allow the redundant PEs to reject their own generated routes in order to avoid the loops. These routing policies can be applied at vsi-import/export level or BGP group/neighbor level.
  • Page 478 EVPN for VXLAN Tunnels (Layer 3) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 entry 10 from community "SOO-PE-2" exit action drop exit exit entry 20 from community "SOO-PE-3" exit action drop exit exit exit policy-statement "add-tag_to_bgp-vpn_routes" entry 10 from protocol bgp-vpn exit...
  • Page 479 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 3) Releases Up To 15.0.R5 Figure 67 EVPN in Parallel R-VPLS Services PE-2 VPRN VPLS 501 VPLS 502 PE-6 PE-1 EVPN-TUNNEL VPLS 501 VPLS 502 VPRN VPRN EVPN-TUNNEL CE-1 CE-3 172.16.0.1/24 .254...
  • Page 480 EVPN for VXLAN Tunnels (Layer 3) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 bgp-evpn ip-route-advertisement vxlan no shutdown exit exit service-name "evi-501" no shutdown configure service vpls 502 customer 1 create allow-ip-int-bind exit vxlan vni 502 create exit route-distinguisher 192.0.2.2:502 vsi-export "vsi-export-policy-502"...
  • Page 481 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 3) Releases Up To 15.0.R5 tag 12 exit action accept community add "SOO_PE-3_RVPLS502" exit exit entry 20 action accept community add "exp_RVPLS502" exit exit exit policy-statement "vsi-import-policy-501" entry 10 from community "SOO-PE-2-RVPLS"...
  • Page 482 EVPN for VXLAN Tunnels (Layer 3) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Troubleshooting and Debug Commands For general information on EVPN and VXLAN troubleshooting and debug commands, see chapter EVPN for VXLAN Tunnels (Layer 2). The following information focuses on specific commands for Layer-3 applications.
  • Page 483 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 3) Releases Up To 15.0.R5 • Check that the expected routes are sent, properly exported and communities added/replaced/removed. Examples of EVPN IP prefix routes including communities and tags are the following. *A:PE-2# show router bgp routes evpn ? - evpn <evpn-type>...
  • Page 484 EVPN for VXLAN Tunnels (Layer 3) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 l - leaked, x - stale, > - best, b - backup, p - purge Origin codes : i - IGP, e - EGP, ? - incomplete =============================================================================== BGP EVPN IP-Prefix Routes ===============================================================================...
  • Page 485 Advanced Configuration Guide - Part II EVPN for VXLAN Tunnels (Layer 3) Releases Up To 15.0.R5 BGP EVPN IP-Prefix Routes =============================================================================== ------------------------------------------------------------------------------- Original Attributes Network : N/A Nexthop : 192.0.2.1 From : 192.0.2.1 Res. Nexthop : 192.168.12.1 Local Pref. : 100 Interface Name : int-PE-2-PE-1 Aggregator AS : None...
  • Page 486 EVPN for VXLAN Tunnels (Layer 3) Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Neighbor-AS : N/A Orig Validation: N/A Source Class Dest Class Add Paths Send : Default Last Modified : 00h06m57s ------------------------------------------------------------------------------ ---snip--- Conclusion SR OS supports not only the EVPN control plane for VXLAN tunnels in Layer 2 applications but also the simultaneous use of EVPN and VXLAN for VPN customers (tenants) with intra and inter-subnet connectivity requirements.
  • Page 487: Evpn Interconnect Ethernet Segments

    Advanced Configuration Guide - Part II EVPN Interconnect Ethernet Segments Releases Up To 15.0.R5 EVPN Interconnect Ethernet Segments This chapter provides information about EVPN Interconnect Ethernet Segments. Topics in this chapter include: • Applicability • Overview • Configuration • Conclusion Applicability The information and configuration in this chapter are based on SR OS Release 15.0.R4.
  • Page 488 EVPN Interconnect Ethernet Segments Advanced Configuration Guide - Part II Releases Up To 15.0.R5 • The use of I-ES for redundancy in dual BGP-instance services allows local SAPs on the DCGWs. This is not supported in the anycast solution. • P2MP mLDP can be provisioned to transport Broadcast, Unknown unicast, and Multicast (BUM) traffic between DCs that use I-ES, without any risk of packet duplication.
  • Page 489 Advanced Configuration Guide - Part II EVPN Interconnect Ethernet Segments Releases Up To 15.0.R5 PE-1, PE-2, and PE-3 simulate a data center, shown as Overlay-Network-1, where PE-2 and PE-3 are DCGWs. In the same way, PE-4, PE-5, and PE-6 simulate a remote data center, Overlay-Network-2.
  • Page 490 EVPN Interconnect Ethernet Segments Advanced Configuration Guide - Part II Releases Up To 15.0.R5 service-id service-range 1 to 100 service-range 101 to 200 exit no shutdown exit On PE-1 and PE-2, the preceding configuration associates I-ES "I-ES231" with the VXLAN instance 1 in services contained in the range VPLS 1 to 100 and 101 to 200. The I-ES is modeled as a virtual ES, where: •...
  • Page 491 Advanced Configuration Guide - Part II EVPN Interconnect Ethernet Segments Releases Up To 15.0.R5 application layer, so the PE will send its own admin pref/DP values. Therefore, for I-ESs, the non-revertive mode will only work for node failures. See the Preference-based and Non-revertive EVPN DF Election chapter for more information about the preference-based and non-revertive DF election...
  • Page 492 EVPN Interconnect Ethernet Segments Advanced Configuration Guide - Part II Releases Up To 15.0.R5 evi 101 to 200 exit exit multi-homing single-active network-interconnect-vxlan 1 service-id service-range 1 to 100 service-range 101 to 200 exit no shutdown exit In this example, VPLS 1 will be configured and associated with the preceding I-ESs. Figure 69 shows an example of VPLS 1 and how it is associated with the I-ESs.
  • Page 493 Advanced Configuration Guide - Part II EVPN Interconnect Ethernet Segments Releases Up To 15.0.R5 bgp-evpn evi 1 vxlan no shutdown exit mpls shutdown exit exit shutdown exit sap 1/1/1:1 create no shutdown exit no shutdown ---------------------------------------------- A:PE-2>config>service>vpls# info ---------------------------------------------- vxlan vni 1 instance 1 create exit route-distinguisher 192.0.2.2:1 exit...
  • Page 494 EVPN Interconnect Ethernet Segments Advanced Configuration Guide - Part II Releases Up To 15.0.R5 exit bgp-evpn evi 1 vxlan no shutdown exit mpls ingress-replication-bum-label ecmp 2 bgp-instance 2 auto-bind-tunnel resolution any exit no shutdown exit exit shutdown exit no shutdown ---------------------------------------------- As in the case of any other ESs, the association of instance and service is based on the ES configuration and there is no extra configuration required at the service level...
  • Page 495 Advanced Configuration Guide - Part II EVPN Interconnect Ethernet Segments Releases Up To 15.0.R5 ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- ISID Ranges: <none> =============================================================================== =============================================================================== EVI Information =============================================================================== SvcId Actv Timer Rem ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Number of entries: 2 =============================================================================== ------------------------------------------------------------------------------- DF Candidate list ------------------------------------------------------------------------------- DF Address ------------------------------------------------------------------------------- 192.0.2.2...
  • Page 496 EVPN Interconnect Ethernet Segments Advanced Configuration Guide - Part II Releases Up To 15.0.R5 =============================================================================== VPLS VXLAN oper flags =============================================================================== MhStandby : true =============================================================================== EVPN Route Handling in Dual BGP-instance VPLSs with I-ES The configuration of I-ESs on DCGWs with two BGP instances has the following impact on the advertisement and process of the BGP-EVPN routes: •...
  • Page 497 Advanced Configuration Guide - Part II EVPN Interconnect Ethernet Segments Releases Up To 15.0.R5 Required BGP Policies to Avoid Control Plane Loops Usually, the use of router policies is required when I-ESs are used for redundancy, to avoid control plane loops with MAC/IP routes. The control plane loops to be avoided are as follows: 1.
  • Page 498 EVPN Interconnect Ethernet Segments Advanced Configuration Guide - Part II Releases Up To 15.0.R5 The following policy prevents the router from sending service VXLAN routes to MPLS peers: policy-statement "allow only mpls" entry 10 from community "vxlan" family evpn exit action drop exit exit...
  • Page 499 Advanced Configuration Guide - Part II EVPN Interconnect Ethernet Segments Releases Up To 15.0.R5 exit default-action accept exit exit The BGP configuration for PE-2 and PE-3 is as follows: A:PE-2>config>router>bgp# info ---------------------------------------------- family evpn vpn-apply-import vpn-apply-export rapid-withdrawal rapid-update evpn group "dc" type internal export "allow only vxlan"...
  • Page 500 EVPN Interconnect Ethernet Segments Advanced Configuration Guide - Part II Releases Up To 15.0.R5 exit exit no shutdown ---------------------------------------------- Single-active Multi-homing Operation When the I-ES is configured as single-active and no shutdown (assuming at least one service is associated), the DCGWs will send ES and AD routes as usual for any ES, and run DF election based on the ES routes, with the candidate list being pruned by the AD routes.
  • Page 501 Advanced Configuration Guide - Part II EVPN Interconnect Ethernet Segments Releases Up To 15.0.R5 ------------------------------------------------------------------------------- 00:ca:fe:ca:fe:01 eES: Evpn 09/05/17 13:00:03 00:23:23:23:23:23:23:00:00:01 00:ca:fe:ca:fe:06 vxlan: Evpn 09/05/17 13:00:03 192.0.2.6:1 ------------------------------------------------------------------------------- No. of MAC Entries: 2 ------------------------------------------------------------------------------- Legend: L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf =============================================================================== A:PE-5# show service id 1 fdb detail ===============================================================================...
  • Page 502 EVPN Interconnect Ethernet Segments Advanced Configuration Guide - Part II Releases Up To 15.0.R5 In spite of not sending BUM or unicast traffic, the NDF for a service still creates the VXLAN bindings; however, they are not associated with any MACs and they are flagged as non-multicast capable, or "-"...
  • Page 503 Advanced Configuration Guide - Part II EVPN Interconnect Ethernet Segments Releases Up To 15.0.R5 =============================================================================== MhStandby : false =============================================================================== • MAC/IP routes and FDB process: MAC/IP routes are received, installed, and advertised as in the DF router. • IMET routes process: −...
  • Page 504 EVPN Interconnect Ethernet Segments Advanced Configuration Guide - Part II Releases Up To 15.0.R5 All-active Multi-homing and Unknown Unicast Forwarding on the NDF The unknown unicast traffic will be transmitted on the (all-active multi-homing) NDF in the upstream and downstream directions only in those cases where there is no risk of packet duplication.
  • Page 505 Advanced Configuration Guide - Part II EVPN Interconnect Ethernet Segments Releases Up To 15.0.R5 Figure 71 All-active Multi-homing and Unknown Unicast Example 2 MAC SA suppression prevents looping frames back to DC MAC AA MAC AA is unknown in FDB I-ES-1 VPLS 1 VPLS 1...
  • Page 506 EVPN Interconnect Ethernet Segments Advanced Configuration Guide - Part II Releases Up To 15.0.R5 PE3 receives unicast traffic with MAC DA = AA. The MAC address is known in the FDB and associated with I-ES-1; therefore, because PE3 is configured to do aliasing to DCGW1 and DCGW2 (bgp-evpn>mpls# ecmp 2), a packet hash determines that it has to be sent to DCGW2 (NDF).
  • Page 507 Advanced Configuration Guide - Part II EVPN Interconnect Ethernet Segments Releases Up To 15.0.R5 =============================================================================== Forwarding Database, Service 1 =============================================================================== ServId Source-Identifier Type Last Change ------------------------------------------------------------------------------- No Matching Entries =============================================================================== The following command clears the ARP table of the VPRN instance (defined in PE- 1 using a loop) simulating CE-1: A:PE-1# clear router 300 arp all A:PE-1#...
  • Page 508 EVPN Interconnect Ethernet Segments Advanced Configuration Guide - Part II Releases Up To 15.0.R5 • PE-3 is NDF for I-ES231, but it floods the packet because the I-ES is all-active and the unknown unicast packet is considered low risk. The packet arrives with no ESI label, no BUM label (in VXLAN, VNIs are the same for unicast and BUM), and the MAC SA suppression passes because the packet is coming from the I- ES and not from MPLS.
  • Page 509 Advanced Configuration Guide - Part II EVPN Interconnect Ethernet Segments Releases Up To 15.0.R5 u*>i 192.0.2.3:101 192.0.2.3 192.0.2.3 ------------------------------------------------------------------------------- Routes : 3 =============================================================================== *A:PE-1# If a DF switchover occurs in the I-ES, the new DF would advertise the IMET-IR route and the new NDF would withdraw it.
  • Page 510 EVPN Interconnect Ethernet Segments Advanced Configuration Guide - Part II Releases Up To 15.0.R5 Local SAPs and Provider Tunnels along with I-ES As described in the Overview section, the main advantages of the I-ES solution over the anycast redundant solution for dual BGP-instance services are the support of local SAPs and P2MP mLDP trees without packet duplication.
  • Page 511 Advanced Configuration Guide - Part II EVPN Interconnect Ethernet Segments Releases Up To 15.0.R5 To have EVPN multi-homing from a CE locally connected to PE-2 and PE-3, an additional ES is configured on PE-2 and PE-3 that will include the local SAPs in VPLS 1, as follows: *A:PE-2>config>service>system>bgp-evpn# info ----------------------------------------------...
  • Page 512 EVPN Interconnect Ethernet Segments Advanced Configuration Guide - Part II Releases Up To 15.0.R5 MhStandby : false =============================================================================== *A:PE-2# show service vxlan-instance-using ethernet-segment =============================================================================== VXLAN Ethernet-Segment Information =============================================================================== SvcId VXLAN Instance ES Name Status ------------------------------------------------------------------------------- I-ES231 I-ES231 =============================================================================== *A:PE-2# show service vxlan-instance-using ethernet-segment "I-ES231" =============================================================================== VXLAN Ethernet-Segment Information ===============================================================================...
  • Page 513: Evpn-Mpls Interconnect For Evpn-Vxlan Vpls Services

    Advanced Configuration Guide - Part II EVPN-MPLS Interconnect for EVPN-VXLAN VPLS Releases Up To 15.0.R5 Services EVPN-MPLS Interconnect for EVPN-VXLAN VPLS Services This chapter provides information about EVPN-MPLS Interconnect for EVPN- VXLAN VPLS Services. Topics in this chapter include: • Appl