06 - VXLAN Part VI VXLAN BGP EVPN - Basic Configurations

VXLAN Part VI: VXLAN BGP EVPN – Basic Configurations
In my previous post “VXLAN Part V: Flood and Learn”, I have shown, how VXLAN works
without Control Plane protocol. In this post, I am going to show how to configure BGP
EVPN on VXLAN fabric.
In Figure 1, you can see the high-level overview of our example VXLAN fabric design. We
have one vrf context (=tenant) TENANT77 spread over the two VTEPs. We also have two
VLANs; VLAN 10 (attached to L2VNI 10000) and VLAN 20 (attached to L2VNI 20000). On
each VTEPs there are two connected hosts (Cafe and Abba on VTEP-101, Beef, and Babe
on VTEP-102). The cross VLAN flows between the hosts in different VTEPs is routed over
the L3VNI 10077. The reason why I start with the configurations is that I want to use
show commands as well as Wireshark captures while explaining the theory in my next
post.
Note! I am using Cisco VIRL with Nexus 9000v (nxos.7.0.3.I7.1.bin).
Figure 1: VXLAN BGP EVPN
Updated: February 21.4.2018 | Toni Pasanen
Configuration
The Underlay Network IP connectivity configuration can be found from my previous

posts:
VXLAN Part II. The Underlay network – Unicast Routing

VXLAN Part IV: The Underlay Network – Multidestination traffic – PIM BiDir
You will find the complete configurations of all devices on Appendix 1 at the end of this
document as well as a diagram of building blocks and their relationship.
Enabling features
First, we need to enable vxlan and related features as well as routing protocols needed
for underlay and overlay:
nv overlay: enables VXLAN.

feature nv overlay evpn: enables EVPN Control Plane
feature fabric forwarding: enables Host Mobility Manager
feature vn-segment-vlan-based: enables VLAN based VXLAN
nv overlay evpn
feature ospf
feature bgp
feature pim
feature fabric forwarding
feature interface-vlan
feature vn-segment-vlan-based
feature nv overlay
The rest of the configurations are divided into two main parts:
Control Plane and tenant configuration (BGP, VRF Context, and EVPN)
Adding a customer network to the tenant
Configuring BGP
In our example, all switches belong to AS65000. Spine-11 is BGP Route Reflector (RR)
and VTEPs are RR clients. I am going to use dedicated loopback IP addresses for the BGP
peering even though we could also use the same address used with OSPF RID. The
reason for dedicated IP address for BGP and OSPF is that I want to draw a clear line
between the protocols used in Underlay and Overlay networks. In this his way, we can
simplify the troubleshooting process.
In leaf switch VTEP-101, we use ip address 192.168.77.101 (loopback 77 ) as a BGP

router ID and we also use it as the source address in iBGP peering with Spine-11
(192.168.77.11).
We want to send and receive the BGP EVPN NLRIs (Network Layer Reachability
Information = routing updates), that is why the “address-family l2vpn evpn” is needed in
addition to ipv4 unicast afi. What address-family actually is? Well, it describes the type
of the information that is carried inside the NLRI (IPv4, IPv6, vpnv4, evpn…).The
Address-Family identifier (AFI) number for Layer2 NLRI information is 25 and the
Subsequent AFI (SAFI) for EVPN is 70. Under the l2vpn afi, we define the BGP
community types that we want to carry with BGP update messages. We are going to use
Route-Targets (RT) for importing/exporting routes to and from the BGP process. Since
RTs are extended communities and only standard BGP communities are added to NLRI
by default, we need to add them to the address-family l2vpn evpn configuration.
router bgp 65000
router-id 192.168.77.101
address-family ipv4 unicast
address-family l2vpn evpn
neighbor 192.168.77.11
remote-as 65000
description ** Spine-11 BGP-RR **
update-source loopback77
send-community extended
!
interface loopback77
description ** BGP peering **
ip address 192.168.77.101/32
ip router ospf UNDERLAY-NET area 0.0.0.0
A couple of words about the IP addressing and IP connectivity. In figure 2, we can see
that there are three logical Loopback interfaces in each VTEP switch.
Loopback 0: Instead of configuring dedicated ip address on Inter-switch link, I have

used “ip unnumbered loopback 0” configuration. This saves ip addresses compared to
dedicated subnets in each inter-switch link.
Loopback 100: is used for VXLAN tunnel addressing. NVE 1 interface use Loopback 100
as a source interface.
Loopback 77: Is used for BGP peering. The “MP_REACH_NLRI” Path Attribute in BGP
Update message use the ip address of the NVE 1 interface in the “Next Hop Address”
field. The tunnel address has to be the next-hop-address of all NLRIs and if eBGP is used
Spine switches have to retain the original next-hop-address while forwarding the routing
update. Note that BGP RR does not change ANY of the Path Attributes of the reflected
route, so the source address in our case is retained automatically.
I have written the article “VXLAN Part X: Recovery issue when BGP EVPN peering uses
the same loopback interface as a source than VXLAN NVE1 interface” in which the
meaning of Loopback addresses is analyzed in more detail.
Figure 2: BGP and IP addressing
We can verify the BGP peering with show bgp l2vpn evpn summary.
Leaf-101# sh bgp l2vpn evpn summary

BGP summary information for VRF default, address family L2VPN
EVPN
BGP router identifier 192.168.77.101, local AS number 65000
BGP table version is 181, L2VPN EVPN config peers 1, capable
peers 1
2 network entries and 2 paths using 332 bytes of memory
BGP attribute entries [1/160], BGP AS path entries [0/0]
BGP community entries [0/0], BGP clusterlist entries [1/4]
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ

Up/Down State/PfxRcd
192.168.77.11 4 65000 356 327 181 0 0
04:58:48 1
Configuring VRF Context
VRF context in VXLAN fabric has a dedicated Virtual Network Id (VNI). When routing
traffic between two hosts behind the different VTEPs in different subnets, packets are
routed over the L3VNI (Figure 3). VXLAN headers for these routed packets uses L3VNI
instead of L2VNI. We are using symmetric Integrated Route and Bridge (IRB) model
where all routed traffic inside a tenant will use the same L3VNI.
Note! I am using term “vrf” for virtual routing inside a single box (local). I am using
term “tenant” while speaking about the virtual L2/l3 domain spread over the fabric
Figure 3: Routing over between different subnets.
We will set up the vrf context TENANT77 and attach L3VNI 10077 to it (Figure 4). Since
we use MP-BGP, we also need to define a Route Distinguisher (RD), as well as Route
Targets (RT) specified under the ipv4 unicast afi (routed traffic is Unicast).
RD in VXLAN perspective is an IPv4 address extension, which is used by BGP Route

Reflector to differentiate possible overlapping networks in different VRFs/Tenants (Spine
BGP RR is not VRF aware). We are going to use automatic RD mode, where RD is formed
based on the BGP RID and VRF ID.
Address-family IPv4 unicast in vrf context is used for exporting/importing routes with
BGP process. To be able to do that, we also need to attach RT values in each BGP NLRI
updates. Since RTs are used for import/export policy, RTs has to be consistent in each
VTEP switch. We will use RT auto format, which generates the RT values by combining
BGP AS number and L3VNI. Since we are using iBGP peering (all switches belongs to
same AS), we can use the auto-generation mode. If each VTEPs are in its own AS
(eBGP) then manual mode has to be used, otherwise we end up the situation where each
VTEP has a different value for RT and even though routes will successfully be exported to
BGP, no one will import those.
After creating the vrf context, we are going to attach it to BGP process.
vrf context TENANT77

vni 10077
rd auto
route-target both auto
route-target both auto evpn
!
router bgp 65000
router-id 192.168.77.101
neighbor 192.168.77.11
remote-as 65000
vrf TENANT77
advertise l2vpn evpn
Figure 4: VRF Context
As can be seen from the output below, the BGP RID for Leaf-101 is 192.168.77.101 and
the TENANT77 VRF_ID is 3. These together give us auto-generated RD value
192.168.77.101:3.
Leaf-101# sh vrf
VRF-Name VRF-ID State
Reason
TENANT77 3 Up --
Leaf-101# sh run bgp | i router

router bgp 65000
router-id 192.168.77.101
Leaf-101# show bgp l2vpn evpn vni-id 10077 | i 10077

Route Distinguisher: 192.168.77.101:3 (L3VNI 10077)
Configuring L2 vlan and L3 vlan interface for L3VNI service
For a routed packet, we need a layer 3 interface and layer 2 vlan. First, we create layer
2 vlan (in our case with id 77) and assign it to vn-segment 10077. Next, we create a
layer 3 interface for the vlan and attach it to the vrf context TENANT77. Layer 3 interface
does not have an ip address and we are going to use the command “ip forward”, which
allows ipv4 traffic on an interface that has no ip address.
Figure 5: L2/L3 VLAN for inter-tenant routing
Configuration examples are taken from VTEP-101.

vlan 77
name TENANT77
vn-segment 10077
!
interface Vlan77
no shutdown
mtu 9216
vrf member TENANT77
ip forward
!
interface nve1
no shutdown
host-reachability protocol bgp
source-interface loopback100
member vni 10077 associate-vrf
!
evpn
Adding customer vlan to EVPN instance
As the last configuration step, I am going to add two customer subnets in our example
VXLAN fabric. We are going to create two VLANs 10 and 20. First, we create layer 2 vlan
and attach it to vn-segment (vlan 10 = VNI 10000 and vlan 20 = VNI 20000). We are
using anycast-gateway ip address (AGW IP), where the gateway ip for the specific
subnet is the same in all VTEPs (vlan 10 = 192.168.11.1 and vlan 20 = 192.168.12.1).
Anycast gateway in VXLAN fabric uses AGW MAC address, which is the same across all
VTEPs and all of the subnets. We are going to use AGW MAC 0001.0001.0001. Customer
layer 3 interfaces are attached to vrf context TENANT77.
To be able to export/import host mac/ip reachability information to/from BGP process we

need to add the specific vn-segment (VNI) to EVPN instance with RD and RT values. For
the uniqueness of routes, we need to have RD (as we need it in L3VNI) and for the
routing policy, we need to have dedicated RT for the VNI (same in each VTEP). In EVPN
instance, RD is formed from BGP RD and value 32767 + VLAN ID, which gives us RD:
192.168.77.101:32777. RT is delivered from the BGP ASN and VNI, which gives us RT:
65000:10000.
The last thing to do is attach VNIs associated with vlan to NVE interface. Note that we
are using the same mcast group for bum traffic of both VLANs. We are also using ARP-
suppression to prevent unnecessary ARP flooding. Even though not shown in the
configuration we need to configure the host-facing interfaces to correct vlan.
Note! When a host joins to network, it might use some Address Conflict Detection
mechanism to prevent duplicate ip addresses. This can be done with Gratuitous ARP,
where a host sends an ARP request by using its own ip addresses in both Sender- and
Target IP address fields (see Figure 10 in Appendix 1.). Based on normal mac learning
process, VTEP switch learns the mac/ip addresses of connected host and then send a
BGP EVPN update to other VTEPs. Note also that the ARP suppression is L2VNI
specific.
Figure 6: EVPN instance (EVI)
Template configuration for all VTEPs

fabric forwarding anycast-gateway-mac 0001.0001.0001
!
vlan 10
name L2VNI-for-VLAN10
vn-segment 10000
!
interface Vlan10
no shutdown
vrf member TENANT77
ip address 192.168.11.1/24
fabric forwarding mode anycast-gateway
!
evpn
vni 10000 l2
rd auto
route-target import auto
route-target export auto
!
int nve 1
member vni 10000
suppress-arp
mcast-group 238.0.0.10
Basic connectivity test
We are going to test basic connectivity between the hosts with ping.
Ping from Café to Beef (L2VNI service over VXLAN fabric)
Figure 7: ping Café to Beef
Cafe#ping 192.168.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.11.11, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
1/1/2 ms
Ping from Café to Abba (Local routing)

Figure 8: ping Café to Abba
Cafe#ping 192.168.12.11
seconds:
!!!!!
2/8/13 ms
Ping from Café to Babe (L3VNI service over VXLAN fabric)
Figure 9: ping Café to Babe
Cafe#ping 192.168.12.12
seconds:
!!!!!
20/23/29 ms
That’s it. I will go through the operation and theory of the VXLAN BGP EVPN from both
Control and Data Plane in my next post.
Author: Toni Pasanen CCIE#28158

Published: 17.4.2018
Updated: 24-May 2018 by Toni Pasanen
References:
Building Data Center with VXLAN BGP EVPN – A Cisco NX-OS Perspective
ISBN-10: 1-58714-467-0 – Krattiger Lukas, Shyam Kapadia, and Jansen Davis
BRKDCN-3040: Troubleshooting VxLAN BGP EVPN – Vinit Jain
212682-virtual-extensible-lan-and-ethernet-virt: Virtual Extensible LAN and Ethernet

Virtual Private Network - Sabyasachi Kar
APPENDIX 1.
Gratuitous ARP
This Wireshark capture is taken during the time that host Cafe joins to the network for
the very first time.
Figure 10: Gratuitous ARP sends by host cafe when joining the network.
Building blocks and relationships in VXLAN.
Figure 11: VXLAN BGP EVPN building blocks.

Complete Configurations
Leaf-101
Leaf-101# sh run
!Command: show running-config

!Time: Mon Apr 16 12:48:51 2018
version 7.0(3)I7(1)
hostname Leaf-101
vdc Leaf-101 id 1
limit-resource vlan minimum 16 maximum 4094
limit-resource vrf minimum 2 maximum 4096
limit-resource port-channel minimum 0 maximum 511
limit-resource u4route-mem minimum 128 maximum 128
limit-resource m4route-mem minimum 58 maximum 58
nv overlay evpn
feature ospf
feature bgp
feature pim
feature nv overlay
no password strength-check
username admin password 5
$5$aV2kcO97$7ioNn2XTmsfuFj62MLL/wcMnEoJE9ifSY/AFfWPY2/
/ role network-admin
ip domain-lookup
ip host Spine-12 192.168.0.12
snmp-server user admin network-admin auth md5
0x223cfb63ca87c5b4856c960235329cff
priv 0x223cfb63ca87c5b4856c960235329cff localizedkey
rmon event 1 description FATAL(1) owner PMON@FATAL
rmon event 2 description CRITICAL(2) owner PMON@CRITICAL
rmon event 3 description ERROR(3) owner PMON@ERROR
rmon event 4 description WARNING(4) owner PMON@WARNING
rmon event 5 description INFORMATION(5) owner PMON@INFO

ip pim rp-address 192.168.238.1 group-list 238.0.0.0/24 bidir
ip pim ssm range 232.0.0.0/8
vlan 1,10,20,77
vlan 10
vn-segment 10000
vlan 20
vn-segment 20000
vlan 77
name TENANT77
vn-segment 10077

vni 10077
rd auto
vrf context management
hardware access-list tcam region racl 512
hardware access-list tcam region arp-ether 256 double-wide
interface Vlan1
no shutdown
interface Vlan10
no shutdown
vrf member TENANT77
ip address 192.168.11.1/24
interface Vlan20
no shutdown
vrf member TENANT77
ip address 192.168.12.1/24
interface Vlan77
no shutdown
vrf member TENANT77
ip forward
interface nve1
no shutdown
member vni 10000
suppress-arp
member vni 20000
suppress-arp
interface Ethernet1/1
no switchport
medium p2p
ip unnumbered loopback0
ip ospf network point-to-point
ip pim sparse-mode
no shutdown
no switchport
medium p2p
ip pim sparse-mode
no shutdown
switchport access vlan 10
<empty interfaces removed from configuration output>
interface mgmt0
vrf member management
interface loopback0
description ** RID/Underlay **
ip address 192.168.0.101/32
ip pim sparse-mode
ip address 192.168.77.101/32
description ** VTEP/Overlay **
ip address 192.168.100.101/32
ip pim sparse-mode
line console
line vty
router ospf UNDERLAY-NET
router-id 192.168.0.101
name-lookup
router bgp 65000
router-id 192.168.77.101
neighbor 192.168.77.11
remote-as 65000
vrf TENANT77
evpn
vni 10000 l2
rd auto
vni 20000 l2
rd auto
Leaf-101#
Leaf-102
Leaf-102# sh run

!Time: Mon Apr 16 12:51:04 2018
version 7.0(3)I7(1)
hostname Leaf-102
vdc Leaf-102 id 1
nv overlay evpn
feature ospf
feature bgp
feature pim
feature nv overlay

$5$r25DfmPc$EvUgSVebL3gCPQ8e1ngSTxeKYIk4yuuPIomJKa5Lp/
3 role network-admin
ip domain-lookup
ip host Leaf-102 192.168.0.102
ip host Spine-11 192.168.0.11
0x713961e592dd5c2401317a7e674464ac
priv 0x713961e592dd5c2401317a7e674464ac localizedkey

vlan 1,10,20,77
vlan 10
vn-segment 10000
vlan 20
vn-segment 20000
vlan 77
name TENANT77
vn-segment 10077

vni 10077
rd auto
hardware access-list tcam region racl 512
hardware access-list tcam region arp-ether 256 double-wide
interface Vlan1
no shutdown
interface Vlan10
no shutdown
vrf member TENANT77
ip address 192.168.11.1/24
interface Vlan20
no shutdown
vrf member TENANT77
ip address 192.168.12.1/24
interface Vlan77
no shutdown
vrf member TENANT77
ip forward
interface nve1
no shutdown
member vni 10000
suppress-arp
member vni 20000
suppress-arp
no switchport
medium p2p
ip pim sparse-mode
no shutdown
no switchport
medium p2p
ip pim sparse-mode
no shutdown
interface mgmt0
interface loopback0
ip address 192.168.0.102/32
ip pim sparse-mode
ip address 192.168.77.102/32
description ** VTEP/Overlay **
ip address 192.168.100.102/32
ip pim sparse-mode
line console
line vty
router-id 192.168.0.102
name-lookup
router bgp 65000
router-id 192.168.77.102
neighbor 192.168.77.11
remote-as 65000
vrf TENANT77
evpn
vni 10000 l2
rd auto
vni 20000 l2
rd auto
Leaf-102#
Spine-11
Spine-11# sh run

!Time: Mon Apr 16 12:53:17 2018
version 7.0(3)I7(1)
hostname Spine-11
vdc Spine-11 id 1
nv overlay evpn
feature ospf
feature bgp
feature pim
feature nv overlay
no password strength-check
$5$60DVUPIV$uZWPu6ufHQOJSG18SK5b9/5kpZnV5E4/EFapzQP5CI
/ role network-admin
ip domain-lookup
ip host Spine-12 192.168.0.12
ip host Leaf-102 192.168.0.102
0xd177fd3448eab21dd2feb16d54938469
priv 0xd177fd3448eab21dd2feb16d54938469 localizedkey

vlan 1
no switchport
medium p2p
ip pim sparse-mode
no shutdown
no switchport
medium p2p
ip pim sparse-mode
no shutdown
interface mgmt0
interface loopback0
ip address 192.168.0.11/32
ip pim sparse-mode
ip address 192.168.77.11/32
description ** Anycast-RP address **
ip address 192.168.238.6/29
ip pim sparse-mode
line console
line vty
router-id 192.168.0.11
name-lookup
router bgp 65000
router-id 192.168.77.111
neighbor 192.168.77.101
remote-as 65000
send-community
route-reflector-client
neighbor 192.168.77.102
remote-as 65000
send-community
route-reflector-client
Spine-11#

06 - VXLAN Part VI VXLAN BGP EVPN - Basic Configurations

Uploaded by

Copyright:

Available Formats

06 - VXLAN Part VI VXLAN BGP EVPN - Basic Configurations

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

06 - VXLAN Part VI VXLAN BGP EVPN - Basic Configurations

Uploaded by

Copyright:

Available Formats

VXLAN Part VI: VXLAN BGP EVPN – Basic Configurations

Note! I am using Cisco VIRL with Nexus 9000v (nxos.7.0.3.I7.1.bin).

Figure 1: VXLAN BGP EVPN

Updated: February 21.4.2018 | Toni Pasanen

The Underlay Network IP connectivity configuration can be found from my previous

VXLAN Part II. The Underlay network – Unicast Routing

nv overlay: enables VXLAN.

In leaf switch VTEP-101, we use ip address 192.168.77.101 (loopback 77 ) as a BGP

Loopback 0: Instead of configuring dedicated ip address on Inter-switch link, I have

Leaf-101# sh bgp l2vpn evpn summary

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ

Configuring VRF Context

RD in VXLAN perspective is an IPv4 address extension, which is used by BGP Route

vrf context TENANT77

Figure 4: VRF Context

Leaf-101# sh run bgp | i router

Leaf-101# show bgp l2vpn evpn vni-id 10077 | i 10077

Configuring L2 vlan and L3 vlan interface for L3VNI service

Figure 5: L2/L3 VLAN for inter-tenant routing

Configuration examples are taken from VTEP-101.

Adding customer vlan to EVPN instance

To be able to export/import host mac/ip reachability information to/from BGP process we

Figure 6: EVPN instance (EVI)

Template configuration for all VTEPs

Basic connectivity test

Ping from Café to Beef (L2VNI service over VXLAN fabric)

Figure 7: ping Café to Beef

Ping from Café to Abba (Local routing)

Ping from Café to Babe (L3VNI service over VXLAN fabric)

Figure 9: ping Café to Babe

Author: Toni Pasanen CCIE#28158

BRKDCN-3040: Troubleshooting VxLAN BGP EVPN – Vinit Jain

212682-virtual-extensible-lan-and-ethernet-virt: Virtual Extensible LAN and Ethernet

Building blocks and relationships in VXLAN.

Figure 11: VXLAN BGP EVPN building blocks.

!Command: show running-config

fabric forwarding anycast-gateway-mac 0001.0001.0001

vrf context TENANT77

<empty interfaces removed from configuration output>

!Command: show running-config

username admin password 5

fabric forwarding anycast-gateway-mac 0001.0001.0001

vrf context TENANT77

<empty interfaces removed from configuration output>

!Command: show running-config

ip pim rp-address 192.168.238.1 group-list 238.0.0.0/24 bidir

vrf context management

<empty interfaces removed from configuration output>

You might also like