Evpn PDF
Evpn PDF
Evpn PDF
EVPN
This chapter describes Arista’s EVPN implementation. Sections in this chapter include:
• Section 23.1: EVPN Overview
• Section 23.2: EVPN Layer 3 Core Operations
• Section 23.3: Integrated Routing and Bridging
• Section 23.4: VPN MPLS Transport Options
• Section 23.5: EVPN Type-5 Routes: IP Prefix Advertisement
• Section 23.6: Inter-VRF Local Route Leaking
• Section 23.7: Configuring EVPN
• Section 23.8: Sample Configurations
• Section 23.9: EVPN and VCS Commands
1159
EVPN Overview Chapter 23: EVPN
1160
Chapter 23: EVPN EVPN Overview
The initial EVPN standard is RFC 7432 defined the BGP EVPN control plane and specifies an MPLS
data-plane. The control plane with an MPLS data plane was extended to consider additional data
plane encapsulations models including VXLAN, NVGRE and MPLS over GRE.
The new EVPN Network Layer Reachability Information (NLRI) is carried in BGP using Multi-protocol
BGP Extensions with a newly defined Address Family Identifier (AFI) and Subsequent Address Family
Identifier (SAFI).
To provide multi-tenancy, the standard uses the above traditional VPN methods to control the import
and export of routes and provide support for overlapping IP address between tenants.
1161
EVPN Overview Chapter 23: EVPN
• Multi-protocol BGP for EVPN: A new AFI and SAFI have been defined for EVPN. These are
AFI=25 (Layer 2 VPN) and SAFI = 70 (EVPN)
• EVPN Layer 2/Layer 3 tenant segmentation: Similar to standard MPLS VPN configurations
Route Distinguisher's (RD’s) and Route Targets (RT’s) are defined for the VPN.
• Route Target (RT): To control the import and export of routes across VRFs, EVPN routes are
advertised with Route-Target (RT) (BGP extended communities). The RT can be auto derived
to simplify the rule configuration, typically this is based on the AS number and the VNI of the
MAC-VRF.
• Route Distinguisher (RD): Unique number prepended to the advertised address within the
VRF, ensuring support for overlapping IPs and MACs across different tenants.
The format of the MP_REACH_NLRI/MP_UNREACH_NLRI attribute, holding the new EVPN NLRI is
illustrated below, where the next-hop address within the NLRI is the IP address of the VTEP advertising
the EVPN route.
Figure 23-4: EVPN NLRI Route Format
As illustrated in Figure 23-4, the original MPLS RFC (7348) and subsequent IP prefix draft
(draft-ietf-bess-evpn-prefix-advertisement-04), introduce five unique EVPN route types.
1162
Chapter 23: EVPN EVPN Overview
1163
EVPN Overview Chapter 23: EVPN
With a one-to-one mapping between the VLAN-ID and the MAC-VRF of EVI instance, the EVI will
represent an individual tenant subnet/VLAN in the overlay. The one-to-one mapping also means the
route-target associated with the MAC-VRF, uniquely identifies the tenant’s subnet/VLAN, providing
granular importing of MAC routes on a per VLAN basis on each VTEP.
In this service, the associated MAC-VRF table is identified by the Route-Target in the control plane and
by the VNI in the data plane and the MAC-VRF table corresponds to a single VLAN bridge domain.
1164
Chapter 23: EVPN EVPN Overview
With the MAC-VRF containing a single Layer 2 bridge table and a single VNI, the original VLAN tag
has no significance in the control plane and is not carried in any EVPN route update. The original
Ethernet tag and the VNI label are carried in the VXLAN data plane, to allow forwarding to the correct
tenant VLAN.
Figure 23-6: VLAN Bundle Service Interface
In this service, the Route-Target associated with the MAC-VRF identifies the tenant rather than an
individual subnet/VLAN of a tenant. This means all MAC routes for the tenant will be imported on the
VTEP regardless of whether or not the specific tenant VLAN exists. The MAC-VRF table is identified
by the Route-Target in the control plane and forwarding to the appropriate tenant VLAN is achieved via
a combination of the VNI and Ethernet tag in the VXLAN data plane.
1165
EVPN Overview Chapter 23: EVPN
With the MAC-VRF containing multiple Layer 2 bridge tables, the VLAN tag is carried in any EVPN
route update to allow mapping to the correct tenant bridge table within the MAC-VRF. Only the unique
VNI label is carried in the VXLAN data plane, to allow forwarding to the correct VLAN with the
MAC-VRF.
Figure 23-7: VLAN Aware Bundle Service
1166
Chapter 23: EVPN EVPN Overview
In this service, the MAC-VRF of the EVI instance represents multiple subnet/VLANs of the tenant. The
Layer 2 bridge table of the MAC-VRF is identified by a combination of the Route-Target and the
Ethernet tag in the control plane and by the unique VNI and in the VXLAN data plane.
This service type is a common DCI/WAN deployment, where a tenant’s VLANs are bundled into single
EVI instance, while VLAN “awareness” can be retained in the EVPN service as the VNI tag is
advertised in the MAC-IP route (which now identifies the VLAN within the EVI). Bundling into a service
like this reduces the number of EVI’s that need to be configured, reducing complexity and the
control-plane signaling between PE’s.
Note The distribution of Layer 2 bridging information as described above allows a Layer 2 overlay network
to be stretched across multiple DCs without additional VTEP configurations.
1167
EVPN Overview Chapter 23: EVPN
Ethernet Tag ID = 0
1 - Ethernet A-D Route
IP Prefix Length (0-32, 0-128) Prefix mask IPv4/IPv6 Support, and
2 - MAC-advertisement Route
IPv4 or IPv6 Prefix
3 - Inclusive Multicast Route IP Prefix (IPv4 or IPv6)
4 - Ethernet Segment Route Set to zero for interface-less.
5 - IP prefix Route (optional) GW IP Address = 0 MPLS label is used as overlay index.
MPLS Label VRF label of the advertising PE,
used as overlay index.
1168
Chapter 23: EVPN EVPN Layer 3 Core Operations
Figure 23-10 offers a more detailed view of the route as displayed on a PE router.
Figure 23-10: EVPN Route Type-5 as Shown on PE
As shown in Figure 23-10, the route contains the VPN route (prefix and RD), the next-hop for the route
and the advertising router ID, along with the extended communities of tunnel type (MPLS), MPLS Label
value and route-target.
Note You require 4.21.1F release and later versions with Jericho/Jericho+ platforms.
1169
EVPN Layer 3 Core Operations Chapter 23: EVPN
The route advertisements are EVPN type-2 routes, which can advertise just the MAC address of the
host, or optionally the MAC and IP address of the host. The format of the type-2 route is illustrated in
the figure below, along with the mandatory and optional extended community attached to the route.
Figure 23-12: EVPN Type 2 MAC and IP Route Format
1170
Chapter 23: EVPN EVPN Layer 3 Core Operations
When a MAC address is learned and advertised for the first time, it is advertised without a sequence
number and the receiving VTEP assume the sequence to be zero. On detection of a MAC move, i.e. a
MAC is learned locally when the same MAC route is active via a type-2 advertisement, then the
sequence number is incremented by one, and the MAC route is advertised to the remote peers. The
original advertising VTEP, receives the MAC route with a now higher sequence number and withdraws
its own local MAC route. All other VTEPs flush the original MAC route, and update their tables with the
new higher sequence number route.
1171
EVPN Layer 3 Core Operations Chapter 23: EVPN
1172
Chapter 23: EVPN EVPN Layer 3 Core Operations
• PMSI Tunnel Attribute, to advertise the replication model the VTEP is supporting. The
supported options defined within the standard are ingress replication and IP multicast.
1173
Integrated Routing and Bridging Chapter 23: EVPN
To provide inter-subnet routing on all VTEPs for all subnets, an anycast IP address is utilized for each
subnet and configured on each VTEP. The anycast IP acts as the default gateway for the hosts,
therefore regardless of where the host resides the directly attached VTEPs can act as the host’s default
gateway. The host MAC and MAC to IP bindings are learned by each VTEP based on a combination
of local learning/ARP snooping and type-2 route advertisement from remote VTEPs.
In a typical implementation, the optional MAC and IP, type-2 route is advertised separately from the
MAC only type-2 route. This is done so that if the MAC and IP route is cleared, for example the ARP
flushed, or the ARP timeout is set to less than the MAC timeout, then the MAC only route will still exist.
1174
Chapter 23: EVPN Integrated Routing and Bridging
The format of the two advertised type-2 routes for Server-1 are illustrated below, where the RD
IP-A:1010 and route-target 1010:1010 are used to distinguish the uniqueness of the route and allow
the route to be imported into the correct remote MAC-VRF based on the route-target import policy of
the VTEP.
Figure 23-17: EVPN Comparison of MAC & MAC+IP Type 2 Route in Asymmetric IRB
1175
Integrated Routing and Bridging Chapter 23: EVPN
For the traffic flow between Server-1 in subnet-10 and Server-4 in subnet-11, the ingress VTEP
(VTEP-1) locally routes the packet into subnet-11/VNI 1011 and then VXLAN bridges the frame,
inserting the VNI 1011 into the VXLAN header with an inner DMAC equal to the destination host,
Server-4. This requires the receiving VTEP, (VTEP-4) to only perform a local Layer 2 lookup, based on
the VNI to VLAN mapping, for the DMAC of Server-4.
Figure 23-18: EVPN Asymmetric IRB VxLAN Data-plane Forwarding Detail
For the asymmetric model to operate the sending VTEP needs the information for all the tenant’s hosts
(MAC and MAC to IP binding), to route and bridge the packet. This means the VTEP needs to be
member of all the tenant’s subnets/VNI and have an associated SVI with anycast IP for all the subnets,
and this will be required on all VTEPs participating in the routing functionality for the tenant. This
introduces scaling issues on multiple fronts.
• VNI Scaling: The number of VNIs supported on a hardware VTEP will be finite, so not all VNIs
can reside on all VTEPs. This is especially true in data-center deployments, where the TOR’s
have traditionally been more resource constrained than chassis-based edge systems.
• Forwarding memory scaling: The VTEPs needs to store all host MACs and ARP entries for all
subnets in the network, on leaf switch this is hardware resource which again will be a finite
resource defined by the specific hardware platform deployed at the leaf.
Symmetric IRB
To address the scale issues of the asymmetric model, in the symmetric model the VTEP is only
configured with the subnets that are present on the directly attached hosts. Connectivity to non-local
subnets on a remote VTEP is achieved through an intermediate IP-VRF. The subsequent forwarding
model for symmetric IRB is illustrated in the figure below, for traffic between Server-1 on subnet-10
(Green) and Server-4 on the remote subnet-11 (Blue). In this model, the ingress VTEP routes the traffic
1176
Chapter 23: EVPN Integrated Routing and Bridging
between the local subnet-10) and the IP-VRF, which both VTEPs are a member of, the egress VTEP
then routes the frame from the IP-VRF to the destination subnet. The forwarding model results in both
VTEPs performing a routing function, hence the term symmetric IRB.
Figure 23-19: EVPN Symmetric IRB
To provide the inter-subnet routing, when the subnet is stretched across multiple VTEPs, an anycast
IP address is utilized for each subnet, but only configured on the VTEP’s where the subnet exists. The
host MAC and MAC to IP bindings are learned by each VTEP based on a combination of local
learning/ARP snooping and type-2 route advertisements.
For the symmetric IRB model the type-2 (MAC and IP) route is advertised with two labels and two
route-targets corresponding to the MAC-VRF the MAC address is learned on and the IP-VRF. Remote
VTEP’s receiving the route, import the IP host route into the corresponding IP-VRF based on the
IP-VRF route-target and if the corresponding MAC-VRF exists on the VTEP the MAC address is
imported into the local MAC-VRF based on the MAC-VRF’s Route-Target. The import behavior for the
type-2 route is illustrated in the diagrams below for the host Server-1.
If the MAC-VRF exists locally on the receiving router, both the IP host route will be installed in the
IP-VRF, and the MAC address will be installed in the MAC-VRF. As shown in Figure 30. With both a
MAC route in the MAC-VRF and an IP host route in the IP-VRF, the VNI used in the data-path will
depend on whether the traffic is being VXLAN bridged between hosts in the same VNI (1010) or
VXLAN routed (VNI 2000).
1177
Integrated Routing and Bridging Chapter 23: EVPN
Figure 23-20: EVPN Type 2 Route in Symmetric IRB - MAC-VRF on Both VTEPs
1178
Chapter 23: EVPN Integrated Routing and Bridging
Compare this to Figure 4.17, where the MAC-VRF does not exist on the receiving VTEP (VTEP-2). In
this case the MAC route is not installed and ignored, as there is no corresponding Route Target on the
VTEP. In this scenario, only the IP-VRF host route is installed on VTEP-2. Traffic from VTEP-2 destined
to hosts on subnet-10, are therefore always VXLAN routed via the IP-VRF, VNI 2000.
Figure 23-21: EVPN Type 2 Route in Symmetric IRB - MAC-VRF Only Exists on Sending VTEP
The symmetric IRB type-2 route contains a number of additional extended community attributes over
the asymmetric IRB type-2 route, the salient fields of the route are summarized below.
• Multi-protocol Reachable NLRI (MP_REACH_NLRI) attribute is used to carry the next-hop hop
for the advertised route. In the context of a VXLAN forwarding plane, this will be the source
address of the advertising VTEP.
• Route Distinguisher of the advertising node’s MAC-VRF. For Server-1 in the example above
this would be IPA:1010.
• MAC address field contains the 48-bit MAC address of the host being advertised. For Server-1
in the example above this would be MAC-1.
• IP address and length field contain the IP address and 32-bit mask for the host being
advertised. For Server-1 in the example above this would be IP-1.
• MAC-VRF label, this contains the VNI number (label) corresponding to the local Layer 2
domain/MAC-VRF the host MAC was learned on. For Server-1 in the example above this would
be VNI 1010.
• IP-VRF label, this contains the VNI number (label) corresponding to the MAC-VRF’s
associated lP-VRF. For MAC-VRF 10 in the example above this would be IP-VRF 2000.
• Extended community Route Target for the IP-VRF. This contains the route-target of the IP-VRF
associated with the learned MAC address.
• Extended community Router MAC. This field advertises the system MAC of the advertising
VTEP and is used as the DMAC for any packet sent to the VTEP via the IP-VRF.
1179
Integrated Routing and Bridging Chapter 23: EVPN
• Extended community Route Target for the MAC-VRF. This contains the route-target of the
MAC-VRF associated with the learned MAC address.
23.3.1 IP VPN
RFC 4364 allows Service Providers and Enterprises to use their backbone infrastructure to provide the
services to multiple customers, or internal departments; while performing the following functions:
• Maintaining privacy
• Allowing for IP address overlap amongst customers
• Constraining route distribution - so that only the service provider routers which need the routes
have them.
This is achieved through the usage of VRFs, Route Distinguishers and Route-Targets
The IPv4/IPv6 VPN Standard RFC 4364 does the following:
• Specifics an BGP IPv4 VPN control plane with a MPLS data plane
• BGP control plane, new address family to advertise IP VPN prefixes.
• This RFC obsoleted the original RFC 2547
• MPLS data-plane defined in multiple RFCs and drafts.
The RED circle in Figure 23-22 highlights the main Drafts and RFCs in use today for an MPLS
data-plane.
Figure 23-22: MPLS data-plane
IPv4 VPN and IPv6 VPN are an extensions of the BGP protocol introducing new address families: IPv4
(address family number 1), IPv6 (address family number 2), and a subsequent address family number
128: MPLS Layer 3 VPN unicast. It is used to exchange overlay IP prefix reachability information
between MP-BGP peers.
Figure 23-23: IPv4 VPN and IPv6 VPN
1180
Chapter 23: EVPN Integrated Routing and Bridging
• Withdrawal
Each route type has its own NLRI prefix format and ach route type advertises its own set of prefixes to
update/withdraw.
The format of the IPv4 VPN prefix update route is illustrated in Figure 23-24. As detailed, the update
route contains the VPN route (prefix and RD), the next-hop for the route and the advertising router ID,
along with the MPLS Label, along with a number of path attributes (where the RT extended
communities are defined), which are associated with these IPv4 NLRIs.
Figure 23-24: IPv4 and IPv6 VPN Update Route Detail
The output in Figure 23-25 and Figure 23-26 offer a more detailed view of the route as displayed on a
PE router.
Figure 23-25: IPv4 VPN Route as Shown on PE
1181
Integrated Routing and Bridging Chapter 23: EVPN
Active - PE Active - PE
VRF A VRF A
VRF B VRF B
P
CE VRF A CE VRF A
CE VRF A CE VRF A
P P
MPLS
VRF A VRF A
VRF B VRF B
Active - PE Active - PE
An IP VRF is used on a PE router for each customer (Layer 3 overlay). VRF IP routes are exported into
the MP-BGP table and advertised to remote PEs as VPN routes. The exported VPN routes carry the
Route-Target (RT) extended communities that are configured as export route-targets on the IP VRF
from which they were exported.
The RTs carried by the VPN routes received by a PE are matched against the VRF import route-target
configuration. When a received route carries an RT that is configured as an import route-target on an
IP VRF, the route is imported into the IPv4 or IPv6 table for that VRF.
PE routers allocate per-VRF and address family Labels that are advertised as part of the VPN route
NLRI. Forwarding of overlay packets between PEs across the underlay requires underlay MPLS
connectivity provided by a backbone.
Note You require 4.21.1F release and later versions with Jericho/Jericho+ platforms.
1182
Chapter 23: EVPN VPN MPLS Transport Options
ISIS-SR LDP
North Edge Lo0: 1.1.1.111 North Edge Lo200: 1.1.1.200
NW Core Lo0: 2.2.2.2 NW-CORE NE-CORE NW Core Lo200: 2.2.2.200
SW Core Lo0: 3.3.3.3 SW Core Lo200: 3.3.3.200
NE Core Lo0: 4.4.4.4 ETH 25 192.168.61.0/24 ETH 25 NE Core Lo200: 4.4.4.200
SE Core Lo0: 5.5.5.5 SE Core Lo200: 5.5.5.200
South Edge Lo0: 6.6.6.6 ETH 1 ETH 1 South Edge Lo200: 6.6.6.200
ETH 2
192.168.58.0/24 ETH 2 ETH 26 ETH 26 ETH 4 192.168.67.0/24
192.168.68.0/24
ETH 1 192.168.62.0/24 ETH 1
NORTH EDGE SOUTH EDGE
ETH 2
IS-IS SR
192.168.60.0/24 LDP 192.168.66.0/24
BGP-SR
ETH 2 ETH 3
192.168.63.0/24
192.168.59.0/24 192.168.69.0/24
ETH 26 ETH 26
ETH 2 ETH 4
BGP-SR ETH 1 ETH 3
North Edge Lo1: 1.1.1.11 ETH 25 192.168.64.0/24 ETH 25
NW Core Lo1: 2.2.2.22
SW Core Lo1: 3.3.3.33
NE Core Lo1: 4.4.4.44 ETH 27 192.168.65.0/24 ETH 27
SE Core Lo1: 5.5.5.55 SW-CORE SE-CORE
South Edge Lo1: 6.6.6.66
LDP, ISIS-SR, and BGP-LU (BGP-SR) demonstrates the corresponding Label Switched Paths (LSPs)
as the MPLS transport LSPs for Layer3 EVPN and IP VPN services.
1183
VPN MPLS Transport Options Chapter 23: EVPN
192.168.68.0/24
ETH 1 192.168.62.0/24 ETH 1
BGP-EVPN BGP-EVPN
NORTH EDGE SOUTH EDGE
ETH 2
IS-IS SR
192.168.60.0/24 LDP 192.168.66.0/24
BGP-SR
TENANT-A ETH 2 ETH 3 TENANT-A
ET 6/3.1 192.168.63.0/24 ET 6/3.1
ET 6/2.1 ET 6/2.1
192.168.59.0/24 192.168.69.0/24
192.168.168.8/30 ETH 26 ETH 26 192.168.168.8/30
ETH 2 ETH 4
192.168.168.12/30 192.168.168.12/30
ETH 1 ETH 3
ET 2.1 ET 2.1
ETH 25 192.168.64.0/24 ETH 25
ET 2.1 ET 2.1
7050SX ETH 27 192.168.65.0/24 ETH 27 7050SX
SW-CORE SE-CORE
7050SX Leaf 12 Leaf 11 7050SX
BGP-SR ISIS-SR
DC1 DC1
Leaf 11 North Edge Lo1: 1.1.1.11 North Edge Lo0: 1.1.1.111 Leaf 12
DC1 NW Core Lo1: 2.2.2.22 NW Core Lo0: 2.2.2.2 DC1
SW Core Lo1: 3.3.3.33 SW Core Lo0: 3.3.3.3
NE Core Lo1: 4.4.4.44 NE Core Lo0: 4.4.4.4
SE Core Lo1: 5.5.5.55 SE Core Lo0: 5.5.5.5
South Edge Lo1: 6.6.6.66 South Edge Lo0: 6.6.6.6
192.168.68.0/24
ETH 1 192.168.62.0/24 ETH 1
BGP-EVPN BGP-EVPN
NORTH EDGE SOUTH EDGE
ETH 2
IS-IS SR
192.168.60.0/24 LDP 192.168.66.0/24
BGP-SR
TENANT-B ETH 2 ETH 3 TENANT-B
ET 6/3.2 192.168.63.0/24 ET 6/2.2
ET 6/2.2 ET 6/3.2
192.168.59.0/24 192.168.69.0/24
192.168.168.20/31 ETH 26 ETH 26 192.168.168.18/31
ETH 2 ETH 4
192.168.168.22/31 192.168.168.16/31
ETH 1 ETH 3
ET 2.2 ET 2.2
ETH 25 192.168.64.0/24 ETH 25
ET 2.2 ET 2.2
7050SX ETH 27 192.168.65.0/24 ETH 27 7050SX
SW-CORE SE-CORE
7050SX Leaf 12 Leaf 11 7050SX
BGP-SR ISIS-SR
DC1 DC1
Leaf 11 North Edge Lo1: 1.1.1.11 North Edge Lo0: 1.1.1.111 Leaf 12
DC1 NW Core Lo1: 2.2.2.22 NW Core Lo0: 2.2.2.2 DC1
SW Core Lo1: 3.3.3.33 SW Core Lo0: 3.3.3.3
NE Core Lo1: 4.4.4.44 NE Core Lo0: 4.4.4.4
SE Core Lo1: 5.5.5.55 SE Core Lo0: 5.5.5.5
South Edge Lo1: 6.6.6.66 South Edge Lo0: 6.6.6.6
To provide external connectivity from the DC into the MPLS domain, leaf-11 and leaf-12 are eBGP
peering via the tenants VRFs with the border routers. Both core routers are advertising external
prefixes for Internet and any remote site connectivity (default route and ip-prefixes from the other DC
for the tenant). To provide connectivity within the EVPN domain, the leaf switches (leaf-21 and leaf-2)
re-advertise the prefixes into the tenant’s VRF via a type-5 route advertisement, with a next-hop equal
to the advertising PE.
1184
Chapter 23: EVPN VPN MPLS Transport Options
Let us review the concepts of transport labels, advertised to provide the label switched path, or LSP,
across the back-bone and the VPN, or tenant label, used by the provider edge (PE) routers to identify
a particular tenant.
EVPN MPLS Sample Configuration displays BGP route updates and how the tenant VRF is
transported over these transport LSPs.
Active - PE Active - PE
VRF VRF
Tenant-D P Tenant-D
P P
MPLS
Tenant-D CE Tenant-D CE
P P
1185
VPN MPLS Transport Options Chapter 23: EVPN
In Figure 23-32 and Figure 23-33, the prefixes for VRF tenant-d are transported over the MPLS WAN
between North Edge and South Edge routers.
Figure 23-32: Tenant-D IPv4 VPN
ISIS-SR LDP
IPv4 VPN
North Edge Lo0: 1.1.1.111 North Edge Lo200: 1.1.1.200
NW Core Lo0: 2.2.2.2 NW-CORE RR NE-CORE NW Core Lo200: 2.2.2.200
SW Core Lo0: 3.3.3.3 SW Core Lo200: 3.3.3.200
NE Core Lo0: 4.4.4.4 ETH 25 192.168.61.0/24 ETH 25 NE Core Lo200: 4.4.4.200
SE Core Lo0: 5.5.5.5 SE Core Lo200: 5.5.5.200
South Edge Lo0: 6.6.6.6 ETH 1 ETH 1 South Edge Lo200: 6.6.6.200
ETH 2
192.168.58.0/24 ETH 2 ETH 26 ETH 26 ETH 4 192.168.67.0/24
192.168.68.0/24
ETH 1 ETH 1
192.168.62.0/24
BGP-IPv4 VPN BGP-IPv4 VPN
NORTH EDGE SOUTH EDGE
ETH 2
IS-IS SR
192.168.60.0/24 LDP 192.168.66.0/24
BGP-SR
TENANT-D ETH 2 ETH 3 TENANT-A
192.168.63.0/24
ET 6/1.120 ET 6/1.620
192.168.59.0/24 192.168.69.0/24
ETH 26 ETH 26
10.255.255.0/30 ETH 2 ETH 4 10.255.255.4/30
ETH 1 ETH 3
VL120 10.255.255.2/30 VL620 10.255.255.6/30
ETH 25 192.168.64.0/24 ETH 25
VL121 201.0.0.1/24 VL621 206.0.0.1/24
ISIS-SR LDP
IPv6 VPN
North Edge Lo0: 1.1.1.111 North Edge Lo200: 1.1.1.200
NW Core Lo0: 2.2.2.2 NW-CORE RR NE-CORE NW Core Lo200: 2.2.2.200
SW Core Lo0: 3.3.3.3 SW Core Lo200: 3.3.3.200
NE Core Lo0: 4.4.4.4 ETH 25 192.168.61.0/24 ETH 25 NE Core Lo200: 4.4.4.200
SE Core Lo0: 5.5.5.5 SE Core Lo200: 5.5.5.200
South Edge Lo0: 6.6.6.6 ETH 1 ETH 1 South Edge Lo200: 6.6.6.200
ETH 2
192.168.58.0/24 ETH 2 ETH 26 ETH 26 ETH 4 192.168.67.0/24
192.168.68.0/24
ETH 1 192.168.62.0/24 ETH 1
BGP-IPv6 VPN BGP-IPv6 VPN
NORTH EDGE SOUTH EDGE
ETH 2
IS-IS SR
192.168.60.0/24 LDP 192.168.66.0/24
BGP-SR
TENANT-D ETH 2 ETH 3 TENANT-A
192.168.63.0/24
ET 6/1.120 ET 6/1.620
192.168.59.0/24 192.168.69.0/24
ETH 26 ETH 26
2010::0/126 ETH 2 ETH 4 2010::4/30
ETH 1 ETH 3
VL120 2010::1/126 VL620 2010::6/126
ETH 25 192.168.64.0/24 ETH 25
VL121 2201::1/64 VL621 2201::6/64
1186
Chapter 23: EVPN VPN MPLS Transport Options
23.4.1 LDP
Figure 23-34 illustrates how LDP neighbor relationships are built. First each router sends a discovery
to a destination multicast address (TTL=1) 224.0.0.2 on port 646. This discovery contains the router-id
and the transport IPv4 address the router wants to use. The second stage is building the TCP peering
session using the transport IP addresses specified. This is normally loopback to loopback.
Figure 23-34: LDP Peering Establishment
2.2.2.200
1 UDP PORT: S=646 D=646
IP S=I/F Address D=224.0.0.2 TTL=1
LCP: LSID=Router-ID IPv4 Trans TLB IP
ETH 1 ETH 25
1.1.1.200 4.4.4.200
ETH 2 ETH 26
ETH 2
ETH 1 ETH 26
3.3.3.200
Examples
• The show mpls ldp neighbor command on the North Edge router displays more detail on TCP
session establishment, and the local addresses of the LDP neighbor for which it is binding a label.
Note All connected interfaces are advertised as bound. However, EOS currently advertised labels for /32
addresses, and FEC filter is configured to install only x.x.x.200/32 prefixes.
1187
VPN MPLS Transport Options Chapter 23: EVPN
1188
Chapter 23: EVPN VPN MPLS Transport Options
23.4.2 ISIS-SR
Figure 23-35 illustrates how ISIS-SR distributes the SID index information in the ISIS TLVs and
sub-TLVs
Figure 23-35: ISIS Neighbor Adj and TLVs
1.1.1.200 4.4.4.200
ETH 2 ETH 26
ETH 2
ETH 1 ETH 26
3.3.3.200
The Prefix SID index, SRGB, and ADJ SID values are populated in the sub-TLVs in the ISIS neighbor
updates. Each router then builds its own database of Node (Prefix) segments (Labels) and locally
assigned ADJ labels.
1189
VPN MPLS Transport Options Chapter 23: EVPN
Examples
• The show isis neighbors detail command on the North Edge router displays the detailed
information of all ISIS neighbors.
north-edge#show isis neighbors detail
Instance VRF System Id Type Interface SNPA State Hold time Circuit Id
sr_instan default nw-core L2 Ethernet1/1 P2P UP 30 1D
Area Address(es): 49.0001
SNPA: P2P
Advertised Hold Time: 30
State Changed: 6d17h ago
IPv4 Interface Address: 192.168.58.12
IPv6 Interface Address: none
Interface name: Ethernet1/1
Graceful Restart: Supported
Segment Routing Enabled
Router ID: 2.2.2.2
SRGB Base: 408000 Range: 4096
Adjacency Label IPv4: 953252
sr_instan default sw-core L2 Ethernet2/1 P2P UP 28 1E
Area Address(es): 49.0001
SNPA: P2P
Advertised Hold Time: 30
State Changed: 00:06:06 ago
IPv4 Interface Address: 192.168.59.12
IPv6 Interface Address: none
Interface name: Ethernet2/1
Graceful Restart: Supported
Segment Routing Enabled
Router ID: 3.3.3.3
SRGB Base: 408000 Range: 4096
Adjacency Label IPv4: 953253
• The show isis segment-routing adjacency-segments command on the North Edge router
displays the locally assigned Adjacency Segment Identifier (Adj-SIDs).
North Edge#show isis segment-routing adjacency-segments
Segment Status codes: L1 - Level-1 adjacency, L2 - Level-2 adjacency, P2P - Point-to-Point adjacency, LAN -
Broadcast adjacency
1190
Chapter 23: EVPN VPN MPLS Transport Options
2.2.2.22
1 TCP PORT: D=179
RTID=Router ID AFI=1 SAFI=4
Multi-hop TCP Session
Trans TLV IP <-> Trans TLV IP
6.6.6.66 6.6.6.66 Normally Loopback to Loopback
L=132771 ETH 1 ETH 25 L=132771
ETH 2
ETH 1 ETH 25
1.1.1.11 6.6.6.66
ETH 2 ETH 26
6.6.6.66 6.6.6.66
L=10003 6.6.6.66 L=3
L=10001
ETH 2
3.3.3.33
Figure 23-37 illustrates how BGP-LU distributes the Label SRGB and SID index information in BGP.
This is known as BGP-SR.
Figure 23-37: BGP-SR Index and SRGB Distribution
2.2.2.200
1 TCP PORT: D=179
RTID=Router ID AFI=1 SAFI=4
SRGB SRGB Multi-hop TCP Session
eBGP-SR eBGP-SR Trans TLV IP <-> Trans TLV IP
6.6.6.66/32 6.6.6.66/32 Normally Loopback to Loopback
Label (SID 66) ETH 1 ETH 25 Label (SID 66)
ETH 2
ETH 1 ETH 25
1.1.1.200 4.4.4.200
ETH 2 ETH 26
SRGB SRGB
eBGP-SR eBGP-SR eBGP-SR
6.6.6.66/32 6.6.6.66/32 6.6.6.66/32
Label (SID 66) Label (SID 66) Label (SID 66)
SRGB
ETH 2
SRGB SRGB
eBGP-SR ETH 1 ETH 26 eBGP-SR
6.6.6.66/32 6.6.6.66/32
Label (SID 66) Label (SID 66)
3.3.3.200
1191
VPN MPLS Transport Options Chapter 23: EVPN
The Prefix SID index, and SRGB values are populated in the TLVs in the BGP neighbor updates. Each
router then builds its own database of Node (Prefix) segments (Labels).
Examples
• The show bgp neighbor command displays BGP-SR neighbors.
north-edge#show bgp neighbor | include BGP neighbor|Multiprotocol IPv4 MplsLabel
1192
Chapter 23: EVPN EVPN Type-5 Routes: IP Prefix Advertisement
The IP prefix draft defines a number of specific uses cases for the type-5 route, which consequently
affect the format and content of the fields within the route. The different deployment scenarios and use
cases defined within the draft are summarized below.
• Advertising of IP prefixes behind an appliance, when the appliance is not running a routing
protocol and only supporting static routes. This could be the typical use case for a Virtual
Firewall with a number of local subnets directly attached, but the firewall is only supporting
static routes into the associated EVI.
• Support for active-standby deployment of appliances using a shared floating IP model. This is
an extension of the previous case where there is now a virtual IP (or VIP) for clustering the
appliances, rather than a dedicated physical IP address on the appliance.
• Support for Layer 2 appliances, acting as a “bump in the wire” with no physical IP addresses
configured, where instead of the appliances having an IP next-hop there is only a MAC
next-hop.
• IP-VRF to IP-VRF model, which is similar to inter-subnet forwarding for host routes (detailed
in the symmetric/asymmetric section), except only Type-5 routes and IP prefixes are
advertised, allowing announcement of IP prefixes into a tenant’s EVI domain for external
connectivity outside the domain.
1193
EVPN Type-5 Routes: IP Prefix Advertisement Chapter 23: EVPN
Interface-less
In interface-less mode, the IP prefixes within the type-5 route, whether they are local or learned from
a connected router are advertised to remote peers via the shared IP-VRF, as illustrated in the figure
below.The IP-VRF to IP-VRF model, is further divided in the draft into three distinct use cases.
Figure 23-39: EVPN Route Type-5, Interface-less Update
As illustrated in Figure 23-39, the IP prefix (subnet-A) residing behind the router (Rtr-1) is learned via
an IGP in EVI-1 on VTEP-1. The prefix is announced and learned by the remote VTEPs residing in the
same EVI, via the type-5 route announcement. The type-5 route, is advertised along with the prefix,
with a route-target (2000:2000) and a VNI label (2000) equal to the IP-VRF which interconnects the
VTEPs in the EVI, the router-mac extended community of the route is used to define the inner DMAC
(equal to system MAC of VTEP-1) for any VXLAN frame destined to advertised IP prefix.
From a forwarding perspective, host residing on subnet-B communicating with a host on subnet-A, will
send traffic to their default gateway which is the IRB interface on VTEP-2 in VLAN 11/VNI 1011.
VTEP-2 performs a route lookup for the destination subnet-A), which has been learned in the IP-VRF
with a next-hop of VTEP-1 and VNI label of 2000. The packet is thus VXLAN encapsulated with VNI
label of 2000 an inner DMAC of A (VTEP-1 system/router MAC), and routed to VTEP-1, which is the
next-hop for the prefix. Receiving the frame, VTEP-1 de-encapsulates the packet, with an inner DMAC
of the VTEPs router MAC, it performs a local route lookup for the destination subnet-A), which has been
1194
Chapter 23: EVPN EVPN Type-5 Routes: IP Prefix Advertisement
learned with a next-hop of rtr-1. The frame is forwarded directly to rtr-1, which subsequently routes the
packet to the local host on subnet-A. The format of the type-5 route in interface-less mode is illustrated
in figure below.
In this model, the VTEPs forming the EVI are interconnected via an IP-VRF, meaning there is no IRB
interface (MAC and IP) created for the interconnection on each of the VTEPs, hence the term
“interface-less”. With no IRB interface the gateway IP address within the type-5 route is set to zero,
traffic is routed to the prefix based on the next-hop of the route (VTEP IP) as well as MAC address
conveyed within the Router MAC extended community, which represents the inner destination MAC of
the VXLAN encapsulated frame.
1195
Inter-VRF Local Route Leaking Chapter 23: EVPN
1196
Chapter 23: EVPN Inter-VRF Local Route Leaking
switch(config)#hardware tcam
switch(config-hw-tcam)#system profile vxlan-routing
switch(config-hw-tcam)#interface Vxlan1
switch(config-hw-tcam-if-Vx1)#vxlan source-interface Loopback0
switch(config-hw-tcam-if-Vx1)#vxlan udp-port 4789
switch(config-hw-tcam-if-Vx1)#vxlan vrf vrf-blue vni 20001
switch(config-hw-tcam-if-Vx1)#vxlan vrf vrf-red vni 10001
1197
Inter-VRF Local Route Leaking Chapter 23: EVPN
23.6.1.2 Route-Distinguisher
Route-Distinguisher (RD) is used to uniquely identify routes from a particular VRF. Route distinguisher
is configured for every VRF from which routes are exported from or imported into.
The following commands are used to configure route distinguisher for a vrf.
Switch(config-router-bgp)#vrf vrf-services
Switch(config-router-bgp-vrf-vrf-services)#rd 1.0.0.1:1
Switch(config-router-bgp)#vrf vrf-blue
Switch(config-router-bgp-vrf-vrf-blue)#rd 2.0.0.1:2
Examples
• These commands export routes from vrf-red to the local VPN table.
switch(config)#service routing protocols model multi-agent
switch(config)#mpls ip
switch(config)#router bgp 65001
switch(config-router-bgp)#vrf vrf-red
switch(config-router-bgp-vrf-vrf-red)#rd 1:1
switch(config-router-bgp-vrf-vrf-red)#route-target export vpn-ipv4 10:10
switch(config-router-bgp-vrf-vrf-red)#route-target export vpn-ipv6 10:20
• These commands export routes from vrf-red to the EVPN table.
switch(config)#router bgp 65001
switch(config-router-bgp)#vrf vrf-red
switch(config-router-bgp-vrf-vrf-red)#rd 1:1
switch(config-router-bgp-vrf-vrf-red)#route-target export evpn 10:1
1198
Chapter 23: EVPN Inter-VRF Local Route Leaking
Examples
• These commands import routes from the VPN table to vrf-blue.
switch(config)#service routing protocols model multi-agent
switch(config)#mpls ip
switch(config)#router bgp 65001
switch(config-router-bgp)#vrf vrf-blue
switch(config-router-bgp-vrf-vrf-blue)#rd 2:2
switch(config-router-bgp-vrf-vrf-blue)#route-target import vpn-ipv4 10:10
switch(config-router-bgp-vrf-vrf-blue)#route-target import vpn-ipv6 10:20
• These commands import routes from the EVPN table to vrf-blue.
switch(config)#router bgp 65001
switch(config-router-bgp)#vrf vrf-blue
switch(config-router-bgp-vrf-vrf-blue)#rd 2:2
switch(config-router-bgp-vrf-vrf-blue)#route-target import evpn 10:1
Note Prefixes that are leaked are not re-exported to the VPN table from the target VRF.
Examples
• These commands export routes from vrf-red to the local VPN table.
switch(config)#service routing protocols model multi-agent
switch(config)#mpls ip
switch(config)#router bgp 65001
switch(config-router-bgp)#vrf vrf-red
switch(config-router-bgp-vrf-vrf-red)#rd 1:1
switch(config-router-bgp-vrf-vrf-red)#route-target export vpn-ipv4 10:10
switch(config-router-bgp-vrf-vrf-red)#route-target export vpn-ipv6 10:20
switch(config-router-bgp-vrf-vrf-red)#route-target export vpn-ipv4 route-map
EXPORT_V4_ROUTES_T0_VPN_TABLE
switch(config-router-bgp-vrf-vrf-red)#route-target export vpn-ipv6 route-map
EXPORT_V6_ROUTES_T0_VPN_TABLE
• These commands export routes to from vrf-red to the EVPN table.
switch(config)#router bgp 65001
switch(config-router-bgp)#vrf vrf-red
switch(config-router-bgp-vrf-vrf-red)#rd 1:1
switch(config-router-bgp-vrf-vrf-red)#route-target export evpn 10:1
switch(config-router-bgp-vrf-vrf-red)#route-target export evpn route-map
EXPORT_ROUTES_T0_EVPN_TABLE
1199
Inter-VRF Local Route Leaking Chapter 23: EVPN
Example
• These commands configure a route-map to leak routes from “VRF1” to “VRF2” using a route-map
“RM1”.
switch(config)#router general
switch(config-router-general)#vrf VRF2
switch(config-router-general-vrf-VRF2)#leak routes source-vrf VRF1
subscribe-policy RM1
1200
Chapter 23: EVPN Configuring EVPN
Example
cvx(config)#router bgp 100
cvx(config-router-bgp)#vni-aware-bundle bundle1
cvx(config-macvrf-bundle1)#
Example
cvx(config)#router bgp 100
cvx(config-router-bgp)#vni-aware-bundle bundle1
cvx(config-macvrf-bundle1)# rd 530:12
cvx(config-macvrf-bundle1)# route-target both 530:12
Example
cvx(config)#router bgp 100
cvx(config-router-bgp)#vni-aware-bundle bundle1
cvx(config-macvrf-bundle1)#redistribute service vxlan
Note CVX is a part of the control plane and it is only connected to the VTEPs in its own DC. It does not have
IP connectivity to the VTEPs in a different DC.
1201
Configuring EVPN Chapter 23: EVPN
Example
cvx(config)#router bgp 100
cvx(config-router-bgp)#address-family evpn
cvx(config-router-bgp-af)#next-hop resolution disabled
Example
cvx(config)#cvx
cvx(config-cvx)#no shutdown
cvx(config-cvx)#service vxlan
cvx(config-cvx-vxlan)#no shutdown
cvx(config-cvx-vxlan)#redistribute bgp evpn vxlan
1202
Chapter 23: EVPN Sample Configurations
To provide VXLAN routing and bridging between the two MLAG domains, each leaf switch is EVPN
peering with the four spine switches via a loopback interface.
1203
Sample Configurations Chapter 23: EVPN
interface Ethernet8/1
description ck428-et8/1
speed forced 40gfull
no switchport
ip address 172.168.1.10/31
interface Loopback0
ip address 1.1.1.11/32
ip prefix-list loopback
seq 10 permit 1.1.1.0/24 ge 24
!
route-map loopback permit 10
match ip address prefix-list loopback
interface Loopback0
ip address 1.1.1.1/32
!
ip prefix-list loopback
seq 10 permit 1.1.1.0/24 ge 24
!
route-map loopback permit 10
match ip address prefix-list loopback
!
router bgp 65001
neighbor 172.168.1.1 remote-as 65004
redistribute connected route-map loopback
1204
Chapter 23: EVPN Sample Configurations
interface Ethernet36
no switchport
vrf VRF-Blue
ip address 172.168.1.9/31
interface Vlan10
vrf VRF-Blue
ip address virtual 10.10.10.1/24
interface Port-Channel3
switchport mode trunk
mlag 3
1205
Sample Configurations Chapter 23: EVPN
1206
Chapter 23: EVPN Sample Configurations
1207
Sample Configurations Chapter 23: EVPN
1208
Chapter 23: EVPN Sample Configurations
In the symmetric and asymmetric IRB configurations illustrated in the figures above, for Tenant-A, four
subnets are stretched across the two MLAG domains with two subnets (VLAN 10, 10.10.10.0/24 and
VLAN 11, 10.10.11.0/24) configured as a VLAN-based service, and two other subnets (VLAN
12,10.10.12.0/24 and VLAN 13, 10.10.13.0/24) as a VLAN-aware bundle service.
For Tenant-B, four subnets are stretched across the two MLAG domains with two subnets (VLAN 210,
10.10.10.0/24 and VLAN 211,10.10.11.0/24) configured as a VLAN-based service, and two other
subnets (VLAN 212,10.10.12.0/24 and VLAN 213,10.10.13.0/24) as a VLAN-aware bundle service.
In addition each MLAG domain has a single local subnet (Rack-1 subnet 10.10.20.0/24 and Rack-2
subnet 10.10.21.0/24) for the tenant. To provide direct distributed routing, each leaf switch is configured
with the same virtual IP address for the four stretched subnets. For the local-only subnets, the virtual
IP address is configured in both physical leaf switches of the relevant MLAG domain.
For each MLAG domain, a logical VTEP is created with the same shared loopback address. For
Rack-1, the logical VTEP IP is 2.2.2.1 and for the Rack-2, the logical VTEP IP is 2.2.2.2. Directly
connected to each leaf switch is a host, which is a member of one of the two IP subnets. To provide
Layer 2 connectivity across the racks, VXLAN bridging is enabled by mapping VLAN to VNIs as
detailed in the diagram.
To provide IP connectivity across all subnets both stretched and directly connected, an IP-VRF is
shared between the two MLAG domains for the tenant. This is used as a transit network for announcing
and forwarding the locally attached subnets. Each leaf switch is EVPN peering with the four spine
switches via a loopback interface on the leaf and again on the spine switches. To provide external
connectivity, Leaf-11 and Leaf-12 are eBGP peering via the tenants’ VRFs with the border routers. Both
core routers are advertising external prefixes for Internet and any remote site connectivity (default route
and IP prefixes from the other DC for the tenant). To provide connectivity within the EVPN domain, the
leaf switches (Leaf-21 and Leaf-22) re-advertise the prefixes into the tenant’s VRF via a type-5 route
advertisement, with a next-hop equal to the advertising VTEP.
1209
Sample Configurations Chapter 23: EVPN
1210
Chapter 23: EVPN Sample Configurations
1211
Sample Configurations Chapter 23: EVPN
1212
Chapter 23: EVPN Sample Configurations
1213
Sample Configurations Chapter 23: EVPN
1214
Chapter 23: EVPN Sample Configurations
vrf tenant-b
ip address virtual 10.10.13.254/24
!
interface Vlan220
mtu 9164
vrf tenant-b
ip address virtual 10.10.20.254/24
!
interface Vlan1111
description Unique-highest-IP-in-each-IP-Vrf
mtu 9164
vrf tenant-a
ip address 223.255.255.249/30
!
interface Vlan2111
description Unique-highest-IP-in-each-IP-Vrf
mtu 9164
vrf tenant-b
ip address 223.255.255.249/30
!
interface Vlan4093
ip address 172.168.11.1/30
1215
Sample Configurations Chapter 23: EVPN
1216
Chapter 23: EVPN Sample Configurations
vrf tenant-b
ip address virtual 10.10.13.254/24
!
interface Vlan221
mtu 9164
vrf tenant-b
ip address virtual 10.10.21.254/24
!
interface Vlan1111
description Unique-highest-IP-in-each-IP-Vrf
mtu 9164
vrf tenant-a
ip address 223.255.255.253/30
!
interface Vlan2111
description Unique-highest-IP-in-each-IP-Vrf
mtu 9164
vrf tenant-b
ip address 223.255.255.253/30
!
interface Vlan4093
ip address 172.168.11.1/30
!
1217
Sample Configurations Chapter 23: EVPN
Note This configuration uses VXLAN routing. For single-chip T2 and TH platforms, recirculation must be
enabled. For R-Series platforms, the following configuration commands must be added:
hardware tcam
system profile vxlan-routing
Refer to diagrams for VLAN and SVI assignment to tenant; Leaf-11 also has peering out to the border
router in addition to the connected SVIs.
1218
Chapter 23: EVPN Sample Configurations
SPINE_EVPN overlay eBGP peering between spine and leaf, using loopbacks
Figure 23-46: Physical Underlay Topology
1219
Sample Configurations Chapter 23: EVPN
1220
Chapter 23: EVPN Sample Configurations
1221
Sample Configurations Chapter 23: EVPN
1222
Chapter 23: EVPN Sample Configurations
1223
Sample Configurations Chapter 23: EVPN
1224
Chapter 23: EVPN Sample Configurations
To ensure all routes are correctly imported between VTEPs sharing the same Layer-2 domain, the
import and export RTs are equal across the two MLAG domains. The redistribute learned statement
under each MAC VRF ensures any locally learned MACs in the VLAN are automatically announced as
type-2 routes.
The IP VRF (Tenant-A) is created on all leaf switches which have subnets attached to the tenant’s VRF
with the same route target ensuring that routes are correctly imported and exported between VTEPs
in the VRF. On Leaf-21 and Leaf-22, to import the external routes an eBGP session with the BGP
peering router is created under the IP VRF (Tenant-A) context, and a peering from each to the other is
created on the overlay.
Note All MAC VRFs are unique, and each has its own RT, matched by the other leaves in the DC. The
“tenants” as such are defined at layer 3 by assigning SVIs to the appropriate VRF. To view this
assignment, use the show ip route vrf <tenant> connected command. Note below that VLANs 12-13
and 212-213 (shown in bold) are configured as a bundle-aware EVPN service. Also note the peering
from Leaf-11 to the BGP border router in each tenant VRF.
1225
Sample Configurations Chapter 23: EVPN
EVPN BGP Overlay Configuration for the Tenants’ MAC VRFs and IP VRF: Leaf-11
route-map loopback permit 10
match ip address prefix-list loopback
!
route-map dont_advertise_loopbacks deny 10
match ip address prefix-list loopback
!
route-map dont_advertise_loopbacks permit 20
!
ip prefix-list loopback
seq 10 permit 1.1.1.11/32
seq 20 permit 1.1.1.12/32
seq 30 permit 1.1.1.22/32
seq 40 permit 1.1.1.21/32
seq 50 permit 2.2.2.1/32
seq 60 permit 2.2.2.2/32
!
router bgp 65002
router-id 1.1.1.11
maximum-paths 4
neighbor SPINE_EVPN peer-group
neighbor SPINE_EVPN remote-as 65001
neighbor SPINE_EVPN update-source Loopback0
neighbor SPINE_EVPN allowas-in 2
neighbor SPINE_EVPN ebgp-multihop 5
neighbor SPINE_EVPN send-community extended
neighbor SPINE_EVPN maximum-routes 12000
neighbor 1.1.1.1 peer-group SPINE_EVPN
neighbor 1.1.1.2 peer-group SPINE_EVPN
redistribute connected route-map loopback
!
vlan 10
rd 1.1.1.11:1010
route-target both 1010:1010
redistribute learned
!
vlan 11
rd 1.1.1.11:1011
route-target both 1011:1011
redistribute learned
!
vlan 20
rd 1.1.1.11:1020
route-target both 1020:1020
redistribute learned
!
vlan 210
rd 1.1.1.11:1210
route-target both 1210:1210
redistribute learned
no redistribute host-route
!
vlan 211
rd 1.1.1.11:1211
route-target both 1211:1211
redistribute learned
no redistribute host-route
!
1226
Chapter 23: EVPN Sample Configurations
vlan 220
rd 1.1.1.11:1220
route-target both 1220:1220
redistribute learned
no redistribute host-route
!
vlan-aware-bundle Tenant-A-VLAN-12-13
rd 1.1.1.11:1213
route-target both 12:13
redistribute learned
vlan 12-13
!
vlan-aware-bundle Tenant-B-VLAN-212-213
rd 1.1.1.11:21213
route-target both 212:213
redistribute learned
no redistribute host-route
vlan 212-213
!
address-family evpn
neighbor SPINE_EVPN activate
!
address-family ipv4
no neighbor SPINE_EVPN activate
!
vrf tenant-a
rd 1.1.1.11:1000
route-target import 1000:1000
route-target export 1000:1000
neighbor 192.168.168.9 remote-as 64512
neighbor 192.168.168.9 local-as 65002 no-prepend replace-as
neighbor 192.168.168.9 maximum-routes 12000
neighbor 223.255.255.250 peer-group LEAF_PEER_OVERLAY
neighbor 223.255.255.250 remote-as 65004
neighbor 223.255.255.250 local-as 65002 no-prepend replace-as
redistribute connected route-map dont_advertise_loopbacks
!
vrf tenant-b
rd 1.1.1.11:1001
route-target import 1001:1001
route-target export 1001:1001
neighbor 192.168.168.21 remote-as 64513
neighbor 192.168.168.21 local-as 65002 no-prepend replace-as
neighbor 192.168.168.21 maximum-routes 12000
neighbor 223.255.255.249 peer-group LEAF_PEER_OVERLAY
neighbor 223.255.255.249 remote-as 65004
neighbor 223.255.255.249 local-as 65002 no-prepend replace-as
redistribute connected route-map dont_advertise_loopbacks
1227
Sample Configurations Chapter 23: EVPN
EVPN BGP Overlay Configuration for the Tenants’ MAC VRFs and IP VRF: Leaf-12
route-map loopback permit 10
match ip address prefix-list loopback
!
route-map dont_advertise_loopbacks deny 10
match ip address prefix-list loopback
!
route-map dont_advertise_loopbacks permit 20
!
ip prefix-list loopback
seq 10 permit 1.1.1.11/32
seq 20 permit 1.1.1.12/32
seq 30 permit 1.1.1.22/32
seq 40 permit 1.1.1.21/32
seq 50 permit 2.2.2.1/32
seq 60 permit 2.2.2.2/32
!
router bgp 65002
router-id 1.1.1.12
maximum-paths 4
neighbor SPINE_EVPN peer-group
neighbor SPINE_EVPN remote-as 65001
neighbor SPINE_EVPN update-source Loopback0
neighbor SPINE_EVPN allowas-in 2
neighbor SPINE_EVPN ebgp-multihop 5
neighbor SPINE_EVPN send-community extended
neighbor SPINE_EVPN maximum-routes 12000
neighbor 1.1.1.1 peer-group SPINE_EVPN
neighbor 1.1.1.2 peer-group SPINE_EVPN
redistribute connected route-map loopback
!
vlan 10
rd 1.1.1.12:1010
route-target both 1010:1010
redistribute learned
!
vlan 11
rd 1.1.1.12:1011
route-target both 1011:1011
redistribute learned
!
vlan 20
rd 1.1.1.12:1020
route-target both 1020:1020
redistribute learned
!
vlan 210
rd 1.1.1.12:1210
route-target both 1210:1210
redistribute learned
no redistribute host-route
!
vlan 211
rd 1.1.1.12:1211
route-target both 1211:1211
redistribute learned
no redistribute host-route
!
1228
Chapter 23: EVPN Sample Configurations
vlan 220
rd 1.1.1.12:1220
route-target both 1220:1220
redistribute learned
no redistribute host-route
!
vlan-aware-bundle Tenant-A-VLAN-12-13
rd 1.1.1.12:1213
route-target both 12:13
redistribute learned
vlan 12-13
!
vlan-aware-bundle Tenant-B-VLAN-212-213
rd 1.1.1.12:21213
route-target both 212:213
redistribute learned
no redistribute host-route
vlan 212-213
!
address-family evpn
neighbor SPINE_EVPN activate
!
address-family ipv4
no neighbor SPINE_EVPN activate
!
vrf tenant-a
rd 1.1.1.12:1000
route-target import 1000:1000
route-target export 1000:1000
neighbor 192.168.168.13 remote-as 64512
neighbor 192.168.168.13 local-as 65002 no-prepend replace-as
neighbor 192.168.168.13 maximum-routes 12000
neighbor 223.255.255.249 peer-group LEAF_PEER_OVERLAY
neighbor 223.255.255.249 remote-as 65002
neighbor 223.255.255.249 local-as 65004 no-prepend replace-as
redistribute connected route-map dont_advertise_loopbacks
!
vrf tenant-b
rd 1.1.1.12:1001
route-target import 1001:1001
route-target export 1001:1001
neighbor 192.168.168.23 remote-as 64513
neighbor 192.168.168.23 local-as 65002 no-prepend replace-as
neighbor 192.168.168.23 maximum-routes 12000
neighbor 223.255.255.249 peer-group LEAF_PEER_OVERLAY
neighbor 223.255.255.249 remote-as 65002
neighbor 223.255.255.249 local-as 65004 no-prepend replace-as
redistribute connected route-map dont_advertise_loopbacks
1229
Sample Configurations Chapter 23: EVPN
EVPN BGP Overlay Configuration for the Tenants’ MAC VRFs and IP VRF: Leaf-21
route-map loopback permit 10
match ip address prefix-list loopback
!
route-map dont_advertise_loopbacks deny 10
match ip address prefix-list loopback
!
route-map dont_advertise_loopbacks permit 20
!
router bgp 65002
router-id 1.1.1.21
maximum-paths 4
neighbor SPINE_EVPN peer-group
neighbor SPINE_EVPN remote-as 65001
neighbor SPINE_EVPN update-source Loopback0
neighbor SPINE_EVPN allowas-in 2
neighbor SPINE_EVPN ebgp-multihop 5
neighbor SPINE_EVPN send-community extended
neighbor SPINE_EVPN maximum-routes 12000
neighbor 1.1.1.1 peer-group SPINE_EVPN
neighbor 1.1.1.2 peer-group SPINE_EVPN
redistribute connected route-map loopback
!
vlan 10
rd 1.1.1.21:1010
route-target both 1010:1010
redistribute learned
!
vlan 11
rd 1.1.1.21:1011
route-target both 1011:1011
redistribute learned
!
vlan 21
rd 1.1.1.21:1021
route-target both 1021:1021
redistribute learned
!
vlan 210
rd 1.1.1.21:1210
route-target both 1210:1210
redistribute learned
no redistribute host-route
!
vlan 211
rd 1.1.1.21:1211
route-target both 1211:1211
redistribute learned
no redistribute host-route
!
vlan 221
rd 1.1.1.21:1221
route-target both 1221:1221
redistribute learned
no redistribute host-route
!
vlan-aware-bundle Tenant-A-VLAN-12-13
rd 1.1.1.21:1213
1230
Chapter 23: EVPN Sample Configurations
1231
Sample Configurations Chapter 23: EVPN
EVPN BGP Overlay Configuration for the Tenants’ MAC VRFs and IP VRF: Leaf-22
route-map loopback permit 10
match ip address prefix-list loopback
!
route-map dont_advertise_loopbacks deny 10
match ip address prefix-list loopback
!
route-map dont_advertise_loopbacks permit 20
!
router bgp 65002
router-id 1.1.1.22
maximum-paths 4
neighbor SPINE_EVPN peer-group
neighbor SPINE_EVPN remote-as 65001
neighbor SPINE_EVPN update-source Loopback0
neighbor SPINE_EVPN allowas-in 2
neighbor SPINE_EVPN ebgp-multihop 5
neighbor SPINE_EVPN send-community extended
neighbor SPINE_EVPN maximum-routes 12000
neighbor 1.1.1.1 peer-group SPINE_EVPN
neighbor 1.1.1.2 peer-group SPINE_EVPN
redistribute connected route-map loopback
!
vlan 10
rd 1.1.1.22:1010
route-target both 1010:1010
redistribute learned
!
vlan 11
rd 1.1.1.22:1011
route-target both 1011:1011
redistribute learned
!
vlan 21
rd 1.1.1.22:1021
route-target both 1021:1021
redistribute learned
!
vlan 210
rd 1.1.1.22:1210
route-target both 1210:1210
redistribute learned
no redistribute host-route
!
vlan 211
rd 1.1.1.22:1211
route-target both 1211:1211
redistribute learned
no redistribute host-route
!
vlan 221
rd 1.1.1.22:1221
route-target both 1221:1221
redistribute learned
no redistribute host-route
!
vlan-aware-bundle Tenant-A-VLAN-12-13
rd 1.1.1.22:1213
1232
Chapter 23: EVPN Sample Configurations
1233
Sample Configurations Chapter 23: EVPN
1234
Chapter 23: EVPN Sample Configurations
1235
Sample Configurations Chapter 23: EVPN
1236
Chapter 23: EVPN Sample Configurations
NW-CORE
AS 64512
TENANT-A TENANT-A
ISIS SR
ET 6/3.1 ET 6/3.1
ET 6/2.1
MPLS ET 6/2.1 eBGP Peering
eBGP Peering
192.168.168.8/30 192.168.168.4/30
192.168.168.12/30 192.168.168.0/30
ET 2.1 ET 2.1
ET 2.1 ET 2.1
7050SX 7050SX
7050SX Leaf 12 Leaf 11 7050SX
DC1 DC1
Leaf 11 Leaf 12
DC1 DC1
NW-CORE
AS 64512
TENANT-B TENANT-B
ISIS SR
ET 6/3.2 ET 6/2.2
ET 6/2.2 MPLS ET 6/3.2 eBGP Peering
eBGP Peering
192.168.168.20/31 192.168.168.18/31
192.168.168.16/31
192.168.168.22/31
ET 2.2 ET 2.2
ET 2.2 ET 2.2
7050SX 7050SX
7050SX Leaf 12 Leaf 11 7050SX
DC1 DC1
Leaf 11 Leaf 12
DC1 DC1
1237
Sample Configurations Chapter 23: EVPN
1040210 H1 --> H2
Loopback 0
H1 --> H2 6.6.6.6
100.10.11.0/24
H2
The North Edge router has an eBGP peering session out to leaf-11 and leaf-12 in DC1, while the South
Edge router has peerings to leaf-11 and leaf-12 in DC2. Tenant-a has few additional local interfaces
used for testing.
Example
• The show ip route vrf tenant-a connected command displays the interfaces assigned to the
tenant-a of North Edge router.
north-edge#show ip route vrf tenant-a connected
VRF: tenant-a
Codes: C - connected, S - static, K - kernel,
O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type2, B I - iBGP, B E - eBGP,
R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
NG - Nexthop Group Static Route, V - VXLAN Control Service,
DH - DHCP client installed default route, M - Martian,
DP - Dynamic Policy Route
Activating EVPN
In all scenarios, the EVPN must be activated under BGP and neighbors configured to exchange Layer
2 VPN/EVPN NLRI.The tenant’s VRF (tenant-a and tenant-b) is associated with a dynamically
assigned label by BGP.
An activated EVPN provides the following functionalities:
• Enables the multi-agent routing protocol model, which is required for EVPN support.
1238
Chapter 23: EVPN Sample Configurations
• Sets the local autonomous system number to 64512 and configures IBGP neighbors that are
activated for the Layer 2 VPN/EVPN address family.
• Sets the EVPN encapsulation type to MPLS.
• Specifies that Loopback0 will be used as the next-hop for all advertised EVPN routes. The underlay
configuration must provide MPLS LSPs from remote PEs to this loopback interface address.
Example
• The service routing protocols model multi-agent command activates EVPN on the north edge
router.
service routing protocols model multi-agent
1239
Sample Configurations Chapter 23: EVPN
Example
The vrf tenant-a and vrf tenant-a commands define overlay VRFs (tenant-a and tenant-b) on the
VTEP of North Edge router and enables IPv4 routing within them.
vrf tenant-a
rd 1.1.1.1:64512
route-target import evpn 64512:11
route-target export evpn 64512:11
router-id 1.1.1.111
neighbor 192.168.168.10 remote-as 65002
neighbor 192.168.168.10 local-as 64512 no-prepend replace-as
neighbor 192.168.168.10 default-originate
neighbor 192.168.168.10 maximum-routes 12000
neighbor 192.168.168.14 remote-as 65002
neighbor 192.168.168.14 local-as 64512 no-prepend replace-as
neighbor 192.168.168.14 default-originate
neighbor 192.168.168.14 maximum-routes 12000
redistribute connected
redistribute static
!
vrf tenant-b
rd 1.1.1.1:64513
route-target import evpn 64513:11
route-target export evpn 64513:11
router-id 1.1.1.111
neighbor 192.168.168.20 remote-as 65002
neighbor 192.168.168.20 local-as 64513 no-prepend replace-as
neighbor 192.168.168.20 maximum-routes 12000
neighbor 192.168.168.22 remote-as 65002
neighbor 192.168.168.22 local-as 64513 no-prepend replace-as
neighbor 192.168.168.22 maximum-routes 12000
redistribute connected
redistribute static
!
Examples
• The show bgp evpn summary command displays the status of EVPN peers in North Edge router.
north-edge#show bgp evpn summary
BGP summary information for VRF default
Router identifier 1.1.1.111, local AS number 64512
Neighbor Status Codes: m - Under maintenance
Neighbor V AS MsgRcvd MsgSent InQ OutQ Up/Down State
PfxRcd PfxAcc
2.2.2.222 4 64512 195 127 0 0 01:13:31 Estab 78 78
• The show bgp evpn route-type ip-prefix ipv4 next-hop 6.6.6.6 command displays all BGP
EVPN ip prefix routes received from the South Edge router (6.6.6.6). Not all are advertised via the
RR 2.2.2.222.
1240
Chapter 23: EVPN Sample Configurations
Note Each entry in the table represents a BGP path. The path specific information includes
Route-Distinguisher and IP prefix. Paths are either received from EVPN peers or exported from local
VRFs.
Note Tenant-a and tenant-b share the same route. Hence, both route with RD 6.6.6.6:64513 and RT
64513:11.
1241
Sample Configurations Chapter 23: EVPN
• The show ip bgp vrf tenant-a command displays the BGP table for VRF in tenant-a containing
imported EVPN routes. Each entry in the table represent a BGP path that is either locally
redistributed / received into the VRF or imported from the EVPN table.
north-edge#show ip bgp vrf tenant-a
BGP routing table information for VRF tenant-a
Router identifier 1.1.1.111, local AS number 64512
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast
% - Pending BGP convergence
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop
Note EVPN routes are received from router 2.2.2.222 C-List (cluster list - basically identifying this route as
from a route-reflector) with originating router being 6.6.6.6.
1242
Chapter 23: EVPN Sample Configurations
• The show ip route vrf tenant-b command displays the BGP table for VRF in tenant-b containing
imported EVPN routes.
north-edge#show ip route vrf tenant-b
VRF: tenant-b
Codes: C - connected, S - static, K - kernel,
O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type2, B I - iBGP, B E - eBGP,
R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
NG - Nexthop Group Static Route, V - VXLAN Control Service,
DH - DHCP client installed default route, M - Martian,
DP - Dynamic Policy Route
Note If we look at the routes in the VRF for tenant-b, we see that the VPN label has now changed, whilst the
transport label for NH 6.6.6.6 is the same. The only difference seen in tenant-b, aside from the different
VPN label, is that there are no host-routes in tenant-b because within each DC tenant-b is running in
asymmetric mode, therefore no host routes are generated/installed in the IP VRF.
1243
Sample Configurations Chapter 23: EVPN
NW-CORE
AS 64512
TENANT-A TENANT-A
ISIS SR
ET 6/3.1 ET 6/3.1
ET 6/2.1
MPLS ET 6/2.1
192.168.168.8/30 192.168.168.4/30
192.168.168.12/30 192.168.168.0/30
ET 2.1 ET 2.1
ET 2.1 ET 2.1
7050SX 7050SX
7050SX Leaf 12 Leaf 11 7050SX
DC1 DC1
Leaf 11 Leaf 12
DC1 DC1
NW-CORE
AS 64512
TENANT-B TENANT-B
LDP MPLS
ET 6/3.2 ET 6/2.2
ET 6/2.2 ET 6/3.2
192.168.168.20/31 192.168.168.18/31
192.168.168.16/31
192.168.168.22/31
ET 2.2 ET 2.2
ET 2.2 ET 2.2
7050SX 7050SX
7050SX Leaf 12 Leaf 11 7050SX
DC1 DC1
Leaf 11 Leaf 12
DC1 DC1
1244
Chapter 23: EVPN Sample Configurations
H1 --> H2 LDP
6.6.6.200/32
Label 3
CE
192.168.168.5
1040210 H1 --> H2
Loopback 200
H1 --> H2 6.6.6.200
100.10.11.0/24
H2
To switch to using the MPLS LDP transport, we simply need to change the next-hop advertised for
EVPN routes. As per Figure 23-51, the next hop needs to be set to loopback 200 to use the LDP LSP.
This is simply achieved by configuring the next-hop for EVPN routes on both North Edge and South
Edge routes. The output again includes the RD and IP prefix identifying the route. As seen in the output,
we now have the NH set to 6.6.6.200 for tenant-a and tenant-b.
router bgp 64512
!
address-family evpn
neighbor default encapsulation mpls next-hop-self source-interface Loopback200
Once this is configured, we can check the BGP updates and the routes in the VRF.
north-edge# show bgp evpn route-type ip-prefix 100.10.11.0/24 detail
BGP routing table information for VRF default
Router identifier 1.1.1.111, local AS number 64512
BGP routing table entry for ip-prefix 100.10.11.0/24, Route Distinguisher: 6.6.6.6:64512
Paths: 1 available
65006
6.6.6.200 from 2.2.2.222 (2.2.2.222)
Origin IGP, metric -, localpref 100, weight 0, valid, internal, best
Extended Community: Route-Target-AS:64512:11 TunnelEncap:tunnelTypeMpls
MPLS label: 958810
BGP routing table entry for ip-prefix 100.10.11.0/24, Route Distinguisher: 6.6.6.6:64513
Paths: 1 available
65006
6.6.6.200 from 2.2.2.222 (2.2.2.222)
Origin IGP, metric -, localpref 100, weight 0, valid, internal, best
Extended Community: Route-Target-AS:64513:11 TunnelEncap:tunnelTypeMpls
MPLS label: 953372
Note Again, we have the same route in tenant-a and tenant-b in DC2. Hence, the two other routes with RD
6.6.6.6:64513 and RT 64513:11. The VPN label has not changed, reinforcing the fact that the BGP
VPN label is orthogonal to the transport label.
1245
Sample Configurations Chapter 23: EVPN
VRF: tenant-a
Codes: C - connected, S - static, K - kernel,
O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type2, B I - iBGP, B E - eBGP,
R - RIP, I L1 - IS-IS ----level 1, I L2 - IS-IS level 2,
O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
NG - Nexthop Group Static Route, V - VXLAN Control Service,
DH - DHCP client installed default route, M - Martian,
DP - Dynamic Policy Route
Note As can be seen from the highlighted route above the label stack, the route has the same VPN route
958810, but the transport labels are now 904097 and 904098 on top (this is the ECMP label path to
reach NH 6.6.6.200).
1246
Chapter 23: EVPN Sample Configurations
VRF: tenant-b
Codes: C - connected, S - static, K - kernel,
O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type2, B I - iBGP, B E - eBGP,
R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
NG - Nexthop Group Static Route, V - VXLAN Control Service,
DH - DHCP client installed default route, M - Martian,
DP - Dynamic Policy Route
Note The only difference apart from the missing host routes (no host-route inject for this tenant), is the VPN
label.
1247
Sample Configurations Chapter 23: EVPN
AS 2 AS 4
EBGP-SR
NW-CORE NE-CORE
BGP EVPN
EBGP-SR AS 64512
iBGP-EVPN iBGP-EVPN
AS 1 1.1.1.111 <-> 2.2.2.222 6.6.6.6 <-> 2.2.2.222 AS 6
NORTH EDGE SOUTH EDGE
AS 2 AS 4
EBGP-SR
NW-CORE NE-CORE
BGP EVPN
EBGP-SR AS 64512
iBGP-EVPN iBGP-EVPN
AS 1 1.1.1.111 <-> 2.2.2.222 6.6.6.6 <-> 2.2.2.222 AS 6
NORTH EDGE SOUTH EDGE
1248
Chapter 23: EVPN Sample Configurations
H1 --> H2 6.6.6.66/32
Index 66 [IMPL NULL] CE
SRGB 200000
192.168.168.5
1040210 H1 --> H2
Loopback 1
H1 --> H2 6.6.6.66
100.10.11.0/24
H2
To switch to using the MPLS BGP-SR transport, we simply need to change the next-hop advertised for
the EVPN routes. As per Figure 23-54, the next hop needs to be set to loopback 1 for using the
BGP-SR LSP. This is achieved by configuring the next-hop for the EVPN routes.
router bgp 64512
!
address-family evpn
neighbor default encapsulation mpls next-hop-self source-interface Loopback1
Once the next-hop for the EVPN routes are configured, we can check the BGP updates and the routes
in the VRF. The output again includes the RD and IP prefix identifying the route. As seen in the output,
we now have the NH set to 6.6.6.66 for tenant-a and tenant-b.
North Edge.17:52:30#show bgp evpn route-type ip-prefix 100.10.11.0/24 detail
north-edge(config-if-Et2/1)#show bgp evpn route-type ip-prefix 100.10.11.0/24 detail
BGP routing table information for VRF default
Router identifier 1.1.1.111, local AS number 64512
BGP routing table entry for ip-prefix 100.10.11.0/24, Route Distinguisher: 6.6.6.6:64512
Paths: 1 available
65006
6.6.6.66 from 2.2.2.222 (2.2.2.222)
Origin IGP, metric -, localpref 100, weight 0, valid, internal, best
Extended Community: Route-Target-AS:64512:11 TunnelEncap:tunnelTypeMpls
MPLS label: 958810
BGP routing table entry for ip-prefix 100.10.11.0/24, Route Distinguisher: 6.6.6.6:64513
Paths: 1 available
65006
6.6.6.66 from 2.2.2.222 (2.2.2.222)
Origin IGP, metric -, localpref 100, weight 0, valid, internal, best
Extended Community: Route-Target-AS:64513:11 TunnelEncap:tunnelTypeMpls
MPLS label: 953372
Note Again, we have the same route in tenant-a and tenant-b in DC2. Hence, the two other routes with RD
6.6.6.6:64513 and RT 64513:11. The VPN label has not changed, reinforcing the fact that the BGP
VPN label is orthogonal to the transport label.
1249
Sample Configurations Chapter 23: EVPN
VRF: tenant-a
Codes: C - connected, S - static, K - kernel,
O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type2, B I - iBGP, B E - eBGP,
R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
NG - Nexthop Group Static Route, V - VXLAN Control Service,
DH - DHCP client installed default route, M - Martian,
DP - Dynamic Policy Route
As can be seen from the highlighted route above the label stack, the route are the transport labels
958810 and 200066 on top (this is the ECMP label path to reach NH 6.6.6.66), with the tenant-a VPN
label 958810 next in the stack, identifying the route as belonging to tenant-a.
As a comparison, let us look at the routes for tenant-b. As seen in the output, the VPN label assigned
to tenant-b is 953372.
north-edge#show bgp evpn route-type ip-prefix 100.10.11.0/24 detail
BGP routing table information for VRF default
Router identifier 1.1.1.111, local AS number 64512
BGP routing table entry for ip-prefix 100.10.11.0/24, Route Distinguisher: 6.6.6.6:64512
Paths: 1 available
65006
6.6.6.66 from 2.2.2.222 (2.2.2.222)
Origin IGP, metric -, localpref 100, weight 0, valid, internal, best
Extended Community: Route-Target-AS:64512:11 TunnelEncap:tunnelTypeMpls
MPLS label: 958810
BGP routing table entry for ip-prefix 100.10.11.0/24, Route Distinguisher: 6.6.6.6:64513
Paths: 1 available
65006
6.6.6.66 from 2.2.2.222 (2.2.2.222)
Origin IGP, metric -, localpref 100, weight 0, valid, internal, best
Extended Community: Route-Target-AS:64513:11 TunnelEncap:tunnelTypeMpls
MPLS label: 953372
north-edge#
1250
Chapter 23: EVPN Sample Configurations
If we now look at the routes in the VRF for tenant-b, we see that the VPN label has now changed, whilst
the transport label (for NH 6.6.6.66 is the same). The only difference seen in tenant-b, aside from the
different VPN label, is that there are no host-routes in tenant-b because within each DC tenant-b is
running in asymmetric mode, therefore no host routes are generated/installed in the IP VRF.
VRF: tenant-b
Codes: C - connected, S - static, K - kernel,
O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type2, B I - iBGP, B E - eBGP,
R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
NG - Nexthop Group Static Route, V - VXLAN Control Service,
DH - DHCP client installed default route, M - Martian,
DP - Dynamic Policy Route
1251
Sample Configurations Chapter 23: EVPN
Figure 23-56 and Figure 23-57 illustrate the sample VPN Physical Topology.
Figure 23-56: IPv4 VPN Physical Topology
LDP
NW-CORE RR NE-CORE
North Edge Lo200: 1.1.1.200
NW Core Lo200: 2.2.2.200
ETH 25 192.168.61.0/24 ETH 25 SW Core Lo200: 3.3.3.200
NE Core Lo200: 4.4.4.200
ETH 1 ETH 1 SE Core Lo200: 5.5.5.200
ETH 2 South Edge Lo200: 6.6.6.200
192.168.58.0/24 ETH 2 ETH 26 ETH 26 ETH 4 192.168.67.0/24
192.168.63.0/24
192.168.68.0/24
ETH 1 192.168.62.0/24 ETH 1
BGP-IPv4 VPN BGP-IPv4 VPN
NORTH EDGE SOUTH EDGE
ETH 2
IS-IS SR
192.168.60.0/24 LDP 192.168.66.0/24
BGP-SR
TENANT-D ETH 2 ETH 3 TENANT-A
192.168.63.0/24
ET 6/1.120 CE ET 6/1.620
192.168.59.0/24 192.168.69.0/24
ETH 26 ETH 26
ETH 2 ETH 4
10.255.255.0/30 10.255.255.4/30
ETH 1 ETH 3
ETH 25 192.168.64.0/24 ETH 25
LDP
NW-CORE RR NE-CORE
North Edge Lo200: 1.1.1.200
NW Core Lo200: 2.2.2.200
ETH 25 192.168.61.0/24 ETH 25 SW Core Lo200: 3.3.3.200
NE Core Lo200: 4.4.4.200
ETH 1 ETH 1 SE Core Lo200: 5.5.5.200
ETH 2 South Edge Lo200: 6.6.6.200
192.168.58.0/24 ETH 2 ETH 26 ETH 26 ETH 4 192.168.67.0/24
192.168.63.0/24
192.168.68.0/24
ETH 1 192.168.62.0/24 ETH 1
BGP-IPv6 VPN BGP-IPv6 VPN
NORTH EDGE SOUTH EDGE
ETH 2
IS-IS SR
192.168.60.0/24 LDP 192.168.66.0/24
BGP-SR
TENANT-D ETH 2 ETH 3 TENANT-A
192.168.63.0/24
ET 6/1.120 CE ET 6/1.620
192.168.59.0/24 192.168.69.0/24
ETH 26 ETH 26
ETH 2 ETH 4
2010::0/126 2010::4/30
ETH 1 ETH 3
ETH 25 192.168.64.0/24 ETH 25
1252
Chapter 23: EVPN Sample Configurations
IPv4 VPN
NW-CORE
IS-IS SR
TENANT-D MPLS TENANT-A
ET 6/1.120 ET 6/1.620
eBGP Peering eBGP Peering
10.255.255.0/30 10.255.255.4/30
VL120 10.255.255.2/30 VL620 10.255.255.6/30
VL121 201.0.0.1/24 VL621 206.0.0.1/24
CE CE
IPv6 VPN
NW-CORE
IS-IS SR
TENANT-D MPLS TENANT-A
ET 6/1.120 ET 6/1.620
eBGP Peering eBGP Peering
2010::6/126 2010::4/30
VL120 2010::1/126 VL620 2010::6/126
VL121 2201::1/64 VL621 2201::6/64
CE CE
1253
Sample Configurations Chapter 23: EVPN
Figure 23-59 and Figure 23-60 illustrate the forwarding path and control plane for both IP traffic over
ISIS MPLS segment routing.
Figure 23-59: IPv4 VPN Forwarding Over ISIS-SR MPLS
967920 H1 --> H2
Loopback 0
H1 --> H2 6.6.6.6
206.0.0.0/24
H2
965242 H1 --> H2
Loopback 0
H1 --> H2 6.6.6.6
2206::/64
H2
1254
Chapter 23: EVPN Sample Configurations
• The show ip route vrf tenant-d command displays IPv4 Routes in the VRF of North Edge.
north-edge#show ip route vrf tenant-d
VRF: tenant-d
Codes: C - connected, S - static, K - kernel,
O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type2, B I - iBGP, B E - eBGP,
R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
NG - Nexthop Group Static Route, V - VXLAN Control Service,
DH - DHCP client installed default route, M - Martian,
DP - Dynamic Policy Route
• The show ip route vrf tenant-d command displays IPv4 Routes in the VRF of South Edge.
south-edge#show ip route vrf tenant-d
VRF: tenant-d
Codes: C - connected, S - static, K - kernel,
O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type2, B I - iBGP, B E - eBGP,
R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
NG - Nexthop Group Static Route, V - VXLAN Control Service,
DH - DHCP client installed default route, M - Martian,
DP - Dynamic Policy Route
VRF: tenant-d
Displaying 4 of 7 IPv6 routing table entries
Codes: C - connected, S - static, K - kernel, O3 - OSPFv3, B - BGP, R - RIP, A B - BGP Aggregate, I L1 -
IS-IS level 1, I L2 - IS-IS level 2, DH - DHCP, NG - Nexthop Group Static Route, M - Martian, DP - Dynamic
Policy Route
B 2010::/126 [200/0]
via 6.6.6.6/32, IS-IS SR tunnel index 6, label 965242
via 192.168.58.12, Ethernet1/1, label 408006
C 2010::4/126 [0/0]
via Ethernet6/1.120, directly connected
B 2201::/64 [200/0]
via 2010::6, Ethernet6/1.120
B 2206::/64 [200/0]
via 6.6.6.6/32, IS-IS SR tunnel index 6, label 965242
via 192.168.58.12, Ethernet1/1, label 408006
1255
Sample Configurations Chapter 23: EVPN
• The show ipv6 route vrf tenant-d command displays IPv6 Routes in the VRF of South Edge.
south-edge#show ipv6 route vrf tenant-d
VRF: tenant-d
Displaying 4 of 7 IPv6 routing table entries
Codes: C - connected, S - static, K - kernel, O3 - OSPFv3, B - BGP, R - RIP, A B - BGP Aggregate, I L1 -
IS-IS level 1, I L2 - IS-IS level 2, DH - DHCP, NG - Nexthop Group Static Route, M - Martian, DP - Dynamic
Policy Route
C 2010::/126 [0/0]
via Ethernet6/1.620, directly connected
B 2010::4/126 [200/0]
via 1.1.1.111/32, IS-IS SR tunnel index 5, label 948858
via 192.168.68.11, Ethernet2/1, label 408001
B 2201::/64 [200/0]
via 1.1.1.111/32, IS-IS SR tunnel index 5, label 948858
via 192.168.68.11, Ethernet2/1, label 408001
B 2206::/64 [200/0]
via 2010::2, Ethernet6/1.620
Activating IP VPN
In all scenarios, the IP VPN must be activated under BGP and neighbors configured to exchange the
IP VPN NLRIs.The tenant’s VRF (tenant-d) is associated with a dynamically assigned label by BGP.
North Edge
service routing protocols model multi-agent
South Edge
service routing protocols model multi-agent
1256
Chapter 23: EVPN Sample Configurations
1257
Sample Configurations Chapter 23: EVPN
Note Each entry in the table represents a BGP path. The path specific information includes the
Route-Distinguisher and the IP prefix. Paths are either received from VPN peers or exported from local
VRFs.
1258
Chapter 23: EVPN Sample Configurations
• The show bgp vpn-ipv4 206.0.0.0/24 detail and show bgp vpn-ipv6 2206::/64 detail commands
display detailed view of the IP prefix route for 206.0.0.0/24 and 2206.::/64 of the North Edge router.
north-edge#show bgp vpn-ipv4 206.0.0.0/24 detail
BGP routing table information for VRF default
Router identifier 1.1.1.111, local AS number 64512
BGP routing table entry for IPv4 prefix 206.0.0.0/24, Route Distinguisher: 6.6.6.6:64514
Paths: 1 available
65010
6.6.6.6 from 2.2.2.222 (2.2.2.222)
Origin IGP, metric -, localpref 100, weight 0, valid, internal, best
Extended Community: Route-Target-AS:64512:4364
MPLS label: 967920
Note The output includes the RD and IP prefix identifying the route. As seen in the output, the IPv4 VPN
route is received from 2.2.2.222 because it is set-up to be a route-reflector, but the next hop is 6.6.6.6.
Both are advertised with tenant VPN label 967920 and 965242 and an RT.
• The show ip bgp vrf tenant-d command displays the BGP table for the VRF containing the
imported EVPN routes.
north-edge#show ip bgp vrf tenant-d
BGP routing table information for VRF tenant-d
Router identifier 1.1.1.1, local AS number 64512
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L - labeled-unicast
% - Pending BGP convergence
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop
Network Next Hop Metric LocPref Weight Path
* >Ec 10.255.255.0/30 6.6.6.6 - 100 0 65010 i Or-ID: 6.6.6.6 C-LST: 2.2.2.222
* ec 10.255.255.0/30 6.6.6.6 - 100 0 65010 i Or-ID: 6.6.6.6 C-LST: 2.2.2.222
* > 10.255.255.4/30 10.255.255.6 - 100 0 65011 i
* > 201.0.0.0/24 10.255.255.6 - 100 0 65011 i
* >Ec 206.0.0.0/24 6.6.6.6 - 100 0 65010 i Or-ID: 6.6.6.6 C-LST: 2.2.2.222
* ec 206.0.0.0/24 6.6.6.6 - 100 0 65010 i Or-ID: 6.6.6.6 C-LST: 2.2.2.222
Note Each entry in the table represent a BGP path that is either locally redistributed and received into the
VRF or imported from the IPv4 VPN table. VPN routes are received from router 2.2.2.222 C-List
(cluster list - basically identifying this route as from a route-reflector) with originating router being
6.6.6.6.
1259
Sample Configurations Chapter 23: EVPN
VRF: tenant-d
Codes: C - connected, S - static, K - kernel,
O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type2, B I - iBGP, B E - eBGP,
R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
NG - Nexthop Group Static Route, V - VXLAN Control Service,
DH - DHCP client installed default route, M - Martian,
DP - Dynamic Policy Route
Note As displayed in the highlighted route above the label stack, the route is the transport label 408006 on
top (this is the label to reach NH 6.6.6.6), with the tenant-a VPN label 967920 next in the stack,
identifying the route as belonging to tenant-d.
A check of the Tunnel FIB confirms that 408006 is the ISIS-SR LSP.
north-edge#show mpls tunnel fib
! 'show mpls tunnel fib' has been deprecated. Please use 'show tunnel fib [options]' moving forward.
Tunnel Type Index Endpoint Nexthop Interface Labels Forwarding
------------------- --------- ------------------ ------------------- ------------------ ----------------
IS-IS SR IPv4 9 2.2.2.22/32 192.168.58.12 Ethernet1/1 [ 3 ] None
LDP 4 2.2.2.200/32 192.168.58.12 Ethernet1/1 [ 3 ] None
IS-IS SR IPv4 2 2.2.2.222/32 192.168.58.12 Ethernet1/1 [ 3 ] None
IS-IS SR IPv4 4 3.3.3.3/32 192.168.58.12 Ethernet1/1 [ 408003 ] None
BGP LU 5 3.3.3.33/32 192.168.58.12 Ethernet1/1 [ 200033 ] None
LDP 5 3.3.3.200/32 192.168.58.12 Ethernet1/1 [ 904099 ] None
IS-IS SR IPv4 8 4.4.4.4/32 192.168.58.12 Ethernet1/1 [ 408004 ] None
IS-IS SR IPv4 5 4.4.4.44/32 192.168.58.12 Ethernet1/1 [ 408044 ] None
LDP 2 4.4.4.200/32 192.168.58.12 Ethernet1/1 [ 904098 ] None
IS-IS SR IPv4 3 5.5.5.5/32 192.168.58.12 Ethernet1/1 [ 408005 ] Primary
BGP LU 7 5.5.5.55/32 192.168.58.12 Ethernet1/1 [ 200055 ] None
LDP 3 5.5.5.200/32 192.168.58.12 Ethernet1/1 [ 904100 ] None
IS-IS SR IPv4 6 6.6.6.6/32 192.168.58.12 Ethernet1/1 [ 408006 ] Primary
BGP LU 8 6.6.6.66/32 192.168.58.12 Ethernet1/1 [ 200066 ] None
LDP 1 6.6.6.200/32 192.168.58.12 Ethernet1/1 [ 904097 ] None
IS-IS SR IPv4 1 23.1.1.11/32 192.168.1.154 Ethernet36/1 [ 3 ] Primary
IS-IS SR IPv4 7 23.1.1.33/32 192.168.1.174 Ethernet23/1 [ 3 ] Primary
1260
Chapter 23: EVPN Sample Configurations
IPv4 VPN
NW-CORE
LDP
TENANT-D MPLS TENANT-A
ET 6/1.120 ET 6/1.620
eBGP Peering eBGP Peering
10.255.255.0/30 10.255.255.4/30
VL120 10.255.255.2/30 VL620 10.255.255.6/30
VL121 201.0.0.1/24 VL621 206.0.0.1/24
CE CE
IPv6 VPN
NW-CORE
LDP
TENANT-D MPLS TENANT-A
ET 6/1.120 ET 6/1.620
eBGP Peering eBGP Peering
2010::6/126 2010::4/30
VL120 2010::1/126 VL620 2010::6/126
VL121 2010::1/64 VL621 2201::6/64
CE CE
1261
Sample Configurations Chapter 23: EVPN
H1 --> H2 LDP
6.6.6.200/32
Label 3
CE
10.255.255.2
967920 H1 --> H2
Loopback 200
H1 --> H2 6.6.6.200
206.0.0.0/24
H2
H1 --> H2 LDP
6.6.6.200/32
Label 3
CE
2010::2
965242 H1 --> H2
Loopback 200
H1 --> H2 6.6.6.200
2206::/64
H2
To switch to using the MPLS LDP transport, we just need to change the next-hop we advertised for the
VPN routes. As per Figure 23-62 and Figure 23-63, the next hop needs to be set to loopback 200 for
using the LDP LSP.
This is achieved by configuring the next-hop for the EVPN routes on both north and south edge routers.
router bgp 64512
!
address-family evpn
neighbor default encapsulation mpls next-hop-self source-interface Loopback200
1262
Chapter 23: EVPN Sample Configurations
Once this is configured, we can check the BGP updates and the routes in the VRF. The output again
includes the RD and IP prefix identifying the route. We now have the NH set to 6.6.6.200 for tenant-d.
north-edge#show bgp vpn-ipv4 206.0.0.0/24 detail
BGP routing table information for VRF default
Router identifier 1.1.1.111, local AS number 64512
BGP routing table entry for IPv4 prefix 206.0.0.0/24, Route Distinguisher: 6.6.6.6:64514
Paths: 1 available
65010
6.6.6.200 from 2.2.2.222 (2.2.2.222)
Origin IGP, metric -, localpref 100, weight 0, valid, internal, best
Extended Community: Route-Target-AS:64512:4364
MPLS label: 967920
north-edge#
north-edge#show bgp vpn-ipv6 2206::/64 detail
BGP routing table information for VRF default
Router identifier 1.1.1.111, local AS number 64512
BGP routing table entry for IPv6 prefix 2206::/64, Route Distinguisher: 6.6.6.6:64514
Paths: 1 available
65010
6.6.6.200 from 2.2.2.222 (2.2.2.222)
Origin IGP, metric -, localpref 100, weight 0, valid, internal, best
Extended Community: Route-Target-AS:64512:4364
MPLS label: 965242
north-edge#
Note The VPN label has not changed from the ISIS-SR case above (967920 & 965242), reinforcing the fact
that the BGP VPN label is orthogonal to the transport label.
VRF: tenant-d
Codes: C - connected, S - static, K - kernel,
O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type2, B I - iBGP, B E - eBGP,
R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
NG - Nexthop Group Static Route, V - VXLAN Control Service,
DH - DHCP client installed default route, M - Martian,
DP - Dynamic Policy Route
VRF: tenant-d
Displaying 4 of 7 IPv6 routing table entries
Codes: C - connected, S - static, K - kernel, O3 - OSPFv3, B - BGP, R - RIP, A B - BGP Aggregate, I L1 -
IS-IS level 1, I L2 - IS-IS level 2, DH - DHCP, NG - Nexthop Group Static Route, M - Martian, DP - Dynamic
Policy Route
B 2010::/126 [200/0]
via 6.6.6.6/32, IS-IS SR tunnel index 6, label 965242
via 192.168.58.12, Ethernet1/1, label 408006
C 2010::4/126 [0/0]
via Ethernet6/1.120, directly connected
B 2201::/64 [200/0]
via 2010::6, Ethernet6/1.120
B 2206::/64 [200/0]
via 6.6.6.6/32, IS-IS SR tunnel index 6, label 965242
via 192.168.58.12, Ethernet1/1, label 408006
Note As seen from the highlighted route above the label stack, the route are the transport label 904097 on
top (this is the label path to reach NH 6.6.6.200), with the tenant-d VPN label 967920 next in the stack,
and identifying the route as belonging to tenant-a.
1263
Sample Configurations Chapter 23: EVPN
A capture of the dataplane on North-Edge matching on the LDP transport label confirms the
encapsulated traffic on the wire. 904097:976920:[Source IP Address][Destination IP Address].
1264
Chapter 23: EVPN Sample Configurations
IPv4 VPN
NW-CORE NE-CORE
eBGP-SR
AS 2 IPv4 VPN AS 4
iBGP-IPv4 VPN BGP
1.1.1.111 <-> 2.2.2.222 AS 64512
eBGP-SR
eBGP-SR
AS 1 AS 6
TENANT-D eBGP-SR eBGP-SR TENANT-A
CE CE
IPv6 VPN
NW-CORE NE-CORE
eBGP-SR
AS 2 IPv6 VPN AS 4
iBGP-IPv6 VPN BGP
1.1.1.111 <-> 2.2.2.222 AS 64512
eBGP-SR
eBGP-SR
AS 1 AS 6
TENANT-D eBGP-SR eBGP-SR TENANT-A
CE CE
1265
Sample Configurations Chapter 23: EVPN
H1 --> H2 6.6.6.66/32
Index 66 [IMPL NULL] CE
SRGB 200000
10.255.255.2
967920 H1 --> H2
Loopback 1
H1 --> H2 6.6.6.66
206.0.0.0/24
H2
H1 --> H2 6.6.6.66/32
Index 66 [IMPL NULL] CE
SRGB 200000
2010::2
965242 H1 --> H2
Loopback 1
H1 --> H2 6.6.6.66
2206::/64
H2
To switch to using the MPLS BGP-SR transport, we just need to change the next-hop we advertised
for the VPN routes. As per Figure 23-65 and Figure 23-66, the next hop needs to be set to loopback 1
for using the BGP-SR LSP.
This is simply achieved by configuring the next-hop for EVPN routes.
router bgp 64512
!
address-family evpn
neighbor default encapsulation mpls next-hop-self source-interface Loopback1
1266
Chapter 23: EVPN Sample Configurations
Once this is configured, we can check the BGP updates and the routes in the VRF. The output again
includes the RD and IP prefix identifying the route. As seen in the output, we now have the NH set to
6.6.6.66 for tenant-d.
north-edge#show bgp vpn-ipv4 206.0.0.0/24 detail
BGP routing table information for VRF default
Router identifier 1.1.1.111, local AS number 64512
BGP routing table entry for IPv4 prefix 206.0.0.0/24, Route Distinguisher: 6.6.6.6:64514
Paths: 1 available
65010
6.6.6.66 from 2.2.2.222 (2.2.2.222)
Origin IGP, metric -, localpref 100, weight 0, valid, internal, best
Extended Community: Route-Target-AS:64512:4364
MPLS label: 967920
north-edge#
north-edge#show bgp vpn-ipv6 2206::/64 detail
BGP routing table information for VRF default
Router identifier 1.1.1.111, local AS number 64512
BGP routing table entry for IPv6 prefix 2206::/64, Route Distinguisher: 6.6.6.6:64514
Paths: 1 available
65010
6.6.6.66 from 2.2.2.222 (2.2.2.222)
Origin IGP, metric -, localpref 100, weight 0, valid, internal, best
Extended Community: Route-Target-AS:64512:4364
MPLS label: 965242
north-edge#
Note The VPN label has not changed from the ISIS-SR case above (967920 & 965242), reinforcing the fact
that the BGP VPN label is orthogonal to the transport label.
The output again includes the RD and IP prefix identifying the route. As seen in the output, we now
have the NH set to 6.6.6.66 for tenant-d.
north-edge#show bgp vpn-ipv4 206.0.0.0/24 detail
BGP routing table information for VRF default
Router identifier 1.1.1.111, local AS number 64512
BGP routing table entry for IPv4 prefix 206.0.0.0/24, Route Distinguisher: 6.6.6.6:64514
Paths: 1 available
65010
6.6.6.66 from 2.2.2.222 (2.2.2.222)
Origin IGP, metric -, localpref 100, weight 0, valid, internal, best
Extended Community: Route-Target-AS:64512:4364
MPLS label: 967920
north-edge#
north-edge#show bgp vpn-ipv6 2206::/64 detail
BGP routing table information for VRF default
Router identifier 1.1.1.111, local AS number 64512
BGP routing table entry for IPv6 prefix 2206::/64, Route Distinguisher: 6.6.6.6:64514
Paths: 1 available
65010
6.6.6.66 from 2.2.2.222 (2.2.2.222)
Origin IGP, metric -, localpref 100, weight 0, valid, internal, best
Extended Community: Route-Target-AS:64512:4364
MPLS label: 965242
north-edge#
Note The VPN label has not changed from the ISIS-SR case above (967920 & 965242), reinforcing the fact
that the BGP VPN label is orthogonal to the transport label.
1267
Sample Configurations Chapter 23: EVPN
As displayed in the highlighted route above the label stack, the route are the transport label 200066 on
top (this is the label path to reach NH 6.6.6.66), with the tenant-d VPN label 967920 next in the stack,
and identifying the route as belonging to tenant-a.
north-edge#show ip route vrf tenant-d
VRF: tenant-d
Codes: C - connected, S - static, K - kernel,
O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type2, B I - iBGP, B E - eBGP,
R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
NG - Nexthop Group Static Route, V - VXLAN Control Service,
DH - DHCP client installed default route, M - Martian,
DP - Dynamic Policy Route
VRF: tenant-d
Displaying 4 of 7 IPv6 routing table entries
Codes: C - connected, S - static, K - kernel, O3 - OSPFv3, B - BGP, R - RIP, A B - BGP Aggregate, I L1 -
IS-IS level 1, I L2 - IS-IS level 2, DH - DHCP, NG - Nexthop Group Static Route, M - Martian, DP - Dynamic
Policy Route
B 2010::/126 [200/0]
via 6.6.6.66/32, BGP LU tunnel index 8, label 965242
via 192.168.58.12, Ethernet1/1, label 200066
via 192.168.59.12, Ethernet2/1, label 200066
C 2010::4/126 [0/0]
via Ethernet6/1.120, directly connected
B 2201::/64 [200/0]
via 2010::6, Ethernet6/1.120
B 2206::/64 [200/0]
via 6.6.6.66/32, BGP LU tunnel index 8, label 965242
via 192.168.58.12, Ethernet1/1, label 200066
via 192.168.59.12, Ethernet2/1, label 200066
A capture of the data-plane on North-Edge matching on the BGP-SR transport label confirms the
encapsulated traffic on the wire. 200066:976920:[Source IP Address][Destination IP Address].
monitor session 1 source Ethernet1/1 tx
monitor session 1 destination Cpu
1268
Chapter 23: EVPN EVPN and VCS Commands
VCS Commands
• redistribute bgp evpn vxlan
Display Commands
• show bgp evpn
• show ip bgp vrf
• show ip route vrf
• show ipv6 bgp vrf
• show ipv6 route vrf
• show service vxlan address-table
• show vrf leak flapping
1269
EVPN and VCS Commands Chapter 23: EVPN
Command Mode
Router-BGP Address-Family Configuration
Command Syntax
next-hop resolution disabled
Example
This command disables the next-hop resolution in routes received from BGP-EVPN peers.
cvx(config)#router bgp 65002
cvx(config-router-bgp)#address-family evpn
cvx(config-router-bgp-af)#next-hop resolution disabled
cvx(config-router-bgp-af)#
1270
Chapter 23: EVPN EVPN and VCS Commands
Command Mode
CVX-VXLAN Configuration
Command Syntax
redistribute bgp evpn vxlan
Example
This command enables redistribution of BGP-EVPN routes to VCS.
cvx(config)#cvx
cvx(config-cvx)#no shutdown
cvx(config-cvx)#service vxlan
cvx(config-cvx-vxlan)#no shutdown
cvx(config-cvx-vxlan)#redistribute bgp evpn vxlan
1271
EVPN and VCS Commands Chapter 23: EVPN
Command Mode
Router-BGP VNI Configuration
Command Syntax
redistribute service vxlan
Example
This command enables redistribution of the Layer 2 bridging information received from VCS.
cvx(config)#router bgp 100
cvx(config-router-bgp)#vni-aware-bundle bundle1
cvx(config-macvrf-bundle1)#redistribute service vxlan
1272
Chapter 23: EVPN EVPN and VCS Commands
router general
The router general command configures a route-map to leak routes from one VRF to another VRF
using a route-map named “RM1”.
The no router general and default router general commands disable the router general configuration
from the running-config.
Command Mode
Router General Configuration
Command Syntax
router general
no router general
default router general
Examples
• These commands configure a route-map to leak routes from “VRF1” to “VRF2” using a route-map
“RM1”.
switch(config)#router general
switch(config-router-general)#vrf VRF2
switch(config-router-general-vrf-VRF2)#leak routes source-vrf VRF1
subscribe-policy RM1
• These commands configure a route-map with the prefix 10.0.0.0/8 and the administrative distance
to 10 in the destination VRF.
switch(config)#ip prefix-list PL1
switch(config-ip-pfx)#permit 10.0.0.0/8
switch(config)#ip route-map RM1
switch(config-route-map-RM1)#match ip address prefix-list PL1
switch(config-route-map-RM1)#set distance 10
1273
EVPN and VCS Commands Chapter 23: EVPN
route-target
The route-target command configures a well-known extended community that is used by BGP-EVPN
to export routes from or import routes into MAC-VRF.
The no route-target and default route-target commands delete the route-target configuration.
Command Mode
Router-BGP VNI Configuration
Syntax
route-target {export | import | both} rt
no route-target
default route-target
Parameters
• export configures a well-known extended community that is attached to the routes exported by
BGP-EVPN.
• import configures a well known extended community that identifies the received routes that
need to be imported into the MAC-VRF specified by the VNI bundle.
• both configures the same extended community for import and export of routes.
• rt route-target extended community.
Example
This command configures a well-known extended community for import and export of routes.
cvx(config)#router bgp 100
cvx(config-router-bgp)#vni-aware-bundle bundle1
cvx(config-macvrf-bundle1)#route-target both 503:12
cvx(config-macvrf-bundle1)#
1274
Chapter 23: EVPN EVPN and VCS Commands
route-target export
The route-target export command allows the user to export routes from a VRF to the local VPN table
using the route target extended community list.
The no route-target export and default route-target export commands remove the routes from the
VPN table.
Command Mode
Router-BGP VNI Configuration
Syntax
route-target export [evpn|vpn-ipv4|vpn-ipv6] <RT>
no route-target export
default route-target export
Parameters
• evpn EVPN address family.
• vpn-ipv4 MPLS L3 VPN IPv4 unicast address family.
• vpn-ipv6 MPLS L3 VPN IPv6 unicast address family.
• RT route-target extended community.
Examples
• These commands export routes from vrf-red to the VPN table.
switch(config)#service routing protocols model multi-agent
switch(config)#mpls ip
switch(config)#router bgp 65001
switch(config-router-bgp)#vrf vrf-red
switch(config-router-bgp-vrf-vrf-red)#rd 1:1
switch(config-router-bgp-vrf-vrf-red)#route-target export vpn-ipv4 10:10
switch(config-router-bgp-vrf-vrf-red)#route-target export vpn-ipv6 10:20
• These commands export routes from vrf-red to the EVPN table.
switch(config)#router bgp 65001
switch(config-router-bgp)#vrf vrf-red
switch(config-router-bgp-vrf-vrf-red)#rd 1:1
switch(config-router-bgp-vrf-vrf-red)#route-target export evpn 10:1
1275
EVPN and VCS Commands Chapter 23: EVPN
route-target import
The route-target import command allows the user to import route target extended community lists
from the local VPN table to the target VRF.
The no route-target import and default route-target import commands remove the routes from the
VPN table.
Command Mode
Router-BGP VNI Configuration
Syntax
route-target import [evpn|vpn-ipv4|vpn-ipv6] <RT>
no route-target import
default route-target import
Parameters
• evpn EVPN address family.
• vpn-ipv4 MPLS L3 VPN IPv4 unicast address family.
• vpn-ipv6 MPLS L3 VPN IPv6 unicast address family.
• RT route-target extended community.
Examples
• These commands import routes from the VPN table to vrf-blue.
switch(config)#service routing protocols model multi-agent
switch(config)#mpls ip
switch(config)#router bgp 65001
switch(config-router-bgp)#vrf vrf-blue
switch(config-router-bgp-vrf-vrf-blue)#rd 2:2
switch(config-router-bgp-vrf-vrf-blue)#route-target import vpn-ipv4 10:10
switch(config-router-bgp-vrf-vrf-blue)#route-target import vpn-ipv6 10:20
• These commands import routes from the EVPN table to vrf-blue.
switch(config)#router bgp 65001
switch(config-router-bgp)#vrf vrf-blue
switch(config-router-bgp-vrf-vrf-blue)#rd 2:2
switch(config-router-bgp-vrf-vrf-blue)#route-target import evpn 10:1
1276
Chapter 23: EVPN EVPN and VCS Commands
route-target route-map
The route-target route-map command allows the user to export and import route target extended
community lists from one VRF to another using route maps.
The no route-target route-map and default route-target route-map commands remove the routes
from the VPN table.
Command Mode
Router-BGP VNI Configuration
Syntax
route-target {import|export} [evpn|vpn-ipv4|vpn-ipv6] route-map RM
no route-target route-map
default route-target route-map
Parameters
• evpn EVPN address family.
• vpn-ipv4 MPLS L3 VPN IPv4 unicast address family.
• vpn-ipv6 MPLS L3 VPN IPv6 unicast address family.
• RM route-map extended community.
Examples
• These commands export routes from vrf-red to the VPN table.
switch(config)#service routing protocols model multi-agent
switch(config)#mpls ip
switch(config)#router bgp 65001
switch(config-router-bgp)#vrf vrf-red
switch(config-router-bgp-vrf-vrf-red)#rd 1:1
switch(config-router-bgp-vrf-vrf-red)#route-target export vpn-ipv4 10:10
switch(config-router-bgp-vrf-vrf-red)#route-target export vpn-ipv6 10:20
switch(config-router-bgp-vrf-vrf-red)#route-target export vpn-ipv4 route-map
EXPORT_V4_ROUTES_T0_VPN_TABLE
switch(config-router-bgp-vrf-vrf-red)#route-target export vpn-ipv6 route-map
EXPORT_V6_ROUTES_T0_VPN_TABLE
• These commands export routes from vrf-red to the EVPN table.
switch(config)#router bgp 65001
switch(config-router-bgp)#vrf vrf-red
switch(config-router-bgp-vrf-vrf-red)#rd 1:1
switch(config-router-bgp-vrf-vrf-red)#route-target export evpn 10:1
switch(config-router-bgp-vrf-vrf-red)#route-target export evpn route-map
EXPORT_ROUTES_T0_EVPN_TABLE
• These commands import routes from the VPN table to vrf-blue.
switch(config)#service routing protocols model multi-agent
switch(config)#mpls ip
switch(config)#router bgp 65001
switch(config-router-bgp)#vrf vrf-blue
switch(config-router-bgp-vrf-vrf-blue)#rd 1:1
switch(config-router-bgp-vrf-vrf-blue)#route-target import vpn-ipv4 10:10
switch(config-router-bgp-vrf-vrf-blue)#route-target import vpn-ipv6 10:20
switch(config-router-bgp-vrf-vrf-blue)#route-target import vpn-ipv4 route-map
IMPORT_V4_ROUTES_VPN_TABLE
switch(config-router-bgp-vrf-vrf-blue)#route-target import vpn-ipv6 route-map
IMPORT_V6_ROUTES_VPN_TABLE
1277
EVPN and VCS Commands Chapter 23: EVPN
1278
Chapter 23: EVPN EVPN and VCS Commands
Command Mode
Global Configuration
Command Syntax
show bgp evpn [community | detail | esi esid | extcommunity | host-flap | instance
| large-community AS:nn:nn | next-hop | rd admin:local-assignment | route-type |
summary | vni vni_num]
Parameters
• <no parameters> displays all routes of the switch.
• community displays routes filtered by the specified community. Options include:
• GSHUT well known GSHUT community.
• aa:nn AS and network number, separated by colon. The value ranges from 1 to
4294967295.
• internet advertises route to the Internet community.
• local-as advertises route only to local peers.
• no-advertise does not advertise the route to any peer.
• no-export advertises route only within the BGP-EVPN AS boundary
• comm_num community number. Values range from 1 to 4294967040.
• detail displays detailed information of routes.
• esi esid displays routes filtered by the specified Ethernet Segment Identifier (ESI).
• extcommunity displays routes that match with BGP or VPN extended community list. Options
include:
• esi-label esid displays routes filtered by the specified value of ESI label. The value ranges
from 0 to 16777215.
• mac-mobility displays routes filtered by the specified MAC mobility.
• router-mac H.H.H displays routes filtered by the specified router MAC address.
• rt displays routes filtered by the specified route target.
• tunnel-encap vxlan displays routes filtered by the VXLAN tunnel encapsulation.
• host-flap displays routes that contains MAC addresses that are blacklisted due to duplication.
• instance displays routes with EVPN instances.
• large-community AS:nn:nn displays routes filtered by the specified large community.
• next-hop displays routes filtered by next-hop IPv4 or IPv6 addresses of remote VTEP.
• rd admin:local-assignment displays routes filtered by the specified Route Distinguisher (RD).
• route-type displays routes filtered by NLRI route type.
• summary displays summary of routes.
• vni vni_num displays routes filtered by the specified VXLAN Network Identifier (VNI). Value
ranges from 1 to 4294967294.
1279
EVPN and VCS Commands Chapter 23: EVPN
Example
• This command displays BGP-EVPN routes filtered by the VNI 3011.
cvx(config-router-bgp-af)#show bgp evpn vni 3011
BGP routing table information for VRF default
Router identifier 2.0.2.2, local AS number 65002
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E - ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup
% - Pending BGP convergence
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop
1280
Chapter 23: EVPN EVPN and VCS Commands
Command Mode
Global Configuration
Command Syntax
show ip bgp vrf {vrf_name | all | default}
Parameters
• vrf_name name of the VRF.
• all displays summary of all VRFs.
• default default virtual routing and forwarding instance.
Example
• This command displays the leaked and source VRF information.
switch(config)#show ip bgp 13.0.0.0/24 vrf vrf-blue
BGP routing table information for VRF vrf-blue
Router identifier 5.0.0.2, local AS number 65001
BGP routing table entry for 130.110.61.0/24
4.0.0.3 from 4.0.0.3 (52.0.0.1), imported EVPN route, RD 400:1
Origin IGP, metric -, localpref 100, weight 0, valid, external,best
Extended Community: Route-Target-AS:4000:1 TunnelEncap:tunnelTypeVxlan
EvpnRouterMac:74:83:ef:0b:70:f3
Leaked from VRF vrf-red
1281
EVPN and VCS Commands Chapter 23: EVPN
Command Mode
Global Configuration
Command Syntax
show ipv6 bgp vrf {vrf_name | all | default}
Parameters
• vrf_name name of the VRF.
• all displays summary of all VRFs.
• default default virtual routing and forwarding instance.
Example
• This command displays the leaked and source VRF information.
switch(config)#show ipv6 bgp 2001:10:1:0::102/64 vrf default
BGP routing table information for VRF default
Router identifier 218.218.218.218, local AS number 34
Route status codes: s - suppressed, * - valid, > - active, # - not installed, E
- ECMP head, e - ECMP
S - Stale, c - Contributing to ECMP, b - backup, L -
labeled-unicast
% - Pending BGP convergence
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop -
Link Local Nexthop
1282
Chapter 23: EVPN EVPN and VCS Commands
Command Mode
Global Configuration
Command Syntax
show ip route vrf {vrf_name | all}
Parameters
• vrf_name name of the VRF.
• all displays summary of all VRFs.
Example
• These commands display the OSPF or OSPFV3 leaked routes as “redistribute ospf” and
“redistribute ospfv3” are configured on the source VRF vrf-red.
switch(config)#show ip route vrf vrf-blue
VRF: vrf-blue
Codes: C - connected, S - static, K - kernel,
O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
N2 - OSPF NSSA external type2, B I - iBGP, B E - eBGP,
R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
NG - Nexthop Group Static Route, V - VXLAN Control Service,
DH - DHCP client installed default route, M - Martian,
DP - Dynamic Policy Route, L - VRF Leaked
Gateway of last resort is not set
C 5.0.0.2/31 is directly connected, Ethernet14
B L 57.0.0.3/32 [200/0] (source VRF vrf-red) via 4.0.0.3, Ethernet11
B L 45.0.0.1/32 [200/0] (source VRF vrf-red) via 4.0.0.3, Ethernet11
B L 52.0.0.1/32 [200/0] (source VRF vrf-red) via 4.0.0.3, Ethernet11
B L 120.0.0.0/24 [200/0] (source VRF vrf-red) via 4.0.0.3, Ethernet11
B L 130.0.0.0/24 [200/0] (source VRF vrf-red) via 4.0.0.3, Ethernet11
B L 130.0.1.0/24 [200/0] (source VRF vrf-red) via 4.0.0.3, Ethernet11
B L 130.0.2.0/24 [200/0] (source VRF vrf-red) via 4.0.0.3, Ethernet11
B L 130.0.3.0/24 [200/0] (source VRF vrf-red) via 4.0.0.3, Ethernet11
1283
EVPN and VCS Commands Chapter 23: EVPN
Command Mode
Global Configuration
Command Syntax
show ipv6 route vrf {vrf_name | all}
Parameters
• vrf_name name of the VRF.
• all displays summary of all VRFs.
Example
• These commands display the OSPF or OSPFV3 leaked routes as “redistribute ospf” and
“redistribute ospfv3” are configured on the source VRF vrf-red.
switch(config)#show ipv6 route vrf vrf-blue
VRF: vrf-blue
Displaying 802 of 802 IPv6 routing table entries
Codes: C - connected, S - static, K - kernel, O3 - OSPFv3, B - BGP, R - RIP, A B
- BGP Aggregate, I L1 - IS-IS level 1, I L2 - IS-IS level 2, DH - DHCP, NG -
Nexthop Group Static Route, M - Martian, DP - Dynamic Policy Route, L - VRF Leaked
B L 18::1/128 [200/0] (source VRF vrf-red)
via 4::3, Ethernet11
B L 6::2/127 [200/0] (source VRF vrf-red)
via fe80::7683:efff:fe0b:963d, Ethernet11
B L 45::1/128 [200/0] (source VRF vrf-red)
via fe80::7683:efff:fe0b:963d, Ethernet11
B L 130::/64 [200/0] (source VRF vrf-red)
via fe80::7683:efff:fe0b:963d, Ethernet11
B L 130:0:0:1::/64 [200/0] (source VRF vrf-red)
via fe80::7683:efff:fe0b:963d, Ethernet11
B L 130:0:0:2::/64 [200/0] (source VRF vrf-red)
via fe80::7683:efff:fe0b:963d, Ethernet11
B L 130:0:0:3::/64 [200/0] (source VRF vrf-red)
1284
Chapter 23: EVPN EVPN and VCS Commands
Command Mode
CVX Global Configuration
Command Syntax
show service vxlan address-table {advertised | received} [address H.H.H | evpn |
hsc | mss | switch [Word | all] | vni vnid | vtep A.B.C.D]
Parameters
• advertised displays the advertised route entries in the MAC forwarding table.
• received displays the received route entries in the MAC forwarding table.
• address H.H.H displays route entries that are filtered by the specified MAC addresses.
• evpn displays route entries filtered by BGP-EVPN.
• hsc displays route entries filtered by Hardware Switch Controller (HSC).
• mss displays route entries filtered by Macro Segmentation Service (MSS).
• switch displays route entries that are filtered by the specified switch or all switches. Options
include:
• Word Hostname, IP address or ID of the switch.
• all all switches
• vni vnid displays route entries filtered by the specified VXLAN Network Identifier (VNI). Value
ranges from 1 to 4294967294.
• vtep A.B.C.D displays route entries filtered by the specified IP address of the remote Virtual
Tunnel End Point (VTEP).
Examples
• This command displays the route entries in MAC forwarding table advertised to BGP-EVPN peers.
cvx#show service vxlan address-table advertised evpn
Advertised Mac Address Table
----------------------------------------------------------------------
1285
EVPN and VCS Commands Chapter 23: EVPN
• This command displays the route entries in MAC forwarding table received from BGP-EVPN peers.
cvx#show service vxlan address-table received evpn
Received Mac Address Table
---------------------------------------------------------------------
1286
Chapter 23: EVPN EVPN and VCS Commands
Command Mode
EXEC
Command Syntax
show vrf leak flapping
Parameters
• destination displays flapping prefixes destined to a VRF.
• prefix displays flapping routes for a prefix.
• source displays flapping prefixes sourced from a VRF.
• vrf displays flapping prefixes associated with a VRF
Example
• This command displays the flapping prefixes of the leaked routes.
switch#show vrf leak flapping
Age Source VRF Destination VRF Prefix Created At
-------- ---------------- --------------------- ----------------- -------------
141 VRF1 VRF2 10.0.2.0/24 3357281.40992
1287
EVPN and VCS Commands Chapter 23: EVPN
vni-aware-bundle
The vni-aware-bundle command configures a BGP MAC-VRF containing Layer 2 routes from a group
of VXLAN Network Identifiers (VNI).
Command Mode
Router BGP Configuration
Command Syntax
vni-aware-bundle vni_bundle_name
Parameter
vni_bundle_name VNI bundle name.
Example
This command configures MAC-VRF BGP to support VNI bundle1.
cvx(config)#router bgp 100
cvx(config-router-bgp)#vni-aware-bundle bundle1
cvx(config-macvrf-bundle1)#
1288