VXLAN Hybrid Access Port Configuration
This chapter shows how to configure a hybrid access port which is a Layer 2 Port (configured switchport) that is part of both a VXLAN domain and a Layer 2 bridge with different VLANs.
Overview
A hybrid VXLAN access port is Layer 2 port that is part of regular Layer 2 bridge (RSTP/MSTP/STP) and a VXLAN bridge at the same time. A switch port cannot be a part of VXLAN domain and Layer 2 Bridge if the VXLAN port is created with “port only” mapping. The same VLAN cannot be a part of both a VXLAN domain and a Layer 2 bridge.
If a port is created with “all” VLANS, then the port should not allow VXLAN access-port configurations. If a VXLAN with a specific VLAN is mapped, then configuring VLAN “all” on the same port does not allow that specified VLAN in a Layer 2 bridge. If the VXLAN access-port configurations are removed, then the specified VLAN is added immediately in a Layer 2 bridge.
Ingress traffic with a VXLAN VLAN does not receive Layer 2 traffic or vice-versa. STP states on the Port P1 do not affect VXLAN traffic.
Topology
RTR1/VTEP1
#configure terminal | Enter configure mode. |
(config)#interface lo | Enter interface mode for loopback. |
(config-if)#ip address 10.10.10.10/32 secondary | Assign secondary IP address. |
(config-if)#exit | Exit interface mode. |
(config)#mac vrf vrf12345 | Create mac routing/forwarding instance with vrf12345 name and enter VRF mode. |
(config-vrf)#rd 1.1.1.1:1 | Assign Rd value. |
(config-vrf)#route-target both 10.10.10.10:10 | Assign route-target both value. |
(config-vrf)#exit | Exit VRF configuration mode. |
(config)#bridge 32 protocol ieee vlan-bridge | Configure the ieee vlan-bridge with Id 32. |
(config)#vlan 2-5 bridge 32 | Configure the vlans 2-5 for the configured bridge Id 32. |
(config)#interface ce25/1 | Enter interface mode for ce25/1. |
(config-if)#ip address 20.20.20.0/31 | Assign IP address 20.20.20.0 in /31 mask. |
(config-if)#exit | Exit interface mode. |
(config)#interface ce25/2 | Enter interface mode for ce25/2. |
(config-if)#switchport | Make it L2 interface. |
(config-if)#bridge-group 32 | Associate the bridge-group 32 to the interface. |
(config-if)#switchport mode hybrid | Configure the Hybrid mode. |
(config-if)# switchport hybrid allowed vlan add 4 egress-tagged enable | Configure hybrid allowed vlan add 4 to support the created vlan in the L2 Bridge. |
(config-if)#exit | Exit interface mode. |
(config)#interface ce31/1 | Enter interface mode for ce31/1. |
(config-if)#switchport | Make it L2 interface. |
(config-if)#bridge-group 32 | Associate the bridge-group 32 to the interface. |
(config-if)#switchport mode hybrid | Configure the Hybrid mode. |
(config-if)# switchport hybrid allowed vlan add 4 egress-tagged enable | Configure hybrid allowed vlan add 4 to support the created vlan in the L2 Bridge. |
(config-if)#exit | Exit interface mode. |
(config)#router bgp 64512 | Enter BGP router mode. |
(config-router)# bgp router-id 1.1.1.1 | Assign BGP router ID |
(config-router)#neighbor 20.20.20.1 remote-as 64513 | Specify a neighbor router with peer ip address and remote-as defined. |
(config-router)#address-family ipv4 unicast | Enter into ipv4 unicast address family |
(config-router-af)#network 10.10.10.10/32 | Advertise loopback network into BGP for VTEP ID reachability |
(config-router-af)#exit-address-family | Exit ipv4 unicast address family mode |
(config-router)#address-family l2vpn evpn | Enter l2vpn address family mode. |
(config-router-af)#neighbor 20.20.20.1 activate | Activate the peer into address family mode. |
(config-router-af)#exit-address-family | Exit l2vpn address family mode. |
(config-router)#exit | Exit BGP router mode. |
(config)# hardware-profile filter vxlan enable | Enable hardware profile for vxlan |
(config)#hardware-profile statistics ac-lif enable | Enable ac-lif for VxLAN access-if port counters |
(config)#nvo vxlan enable | Enable Vxlan. |
(config)#nvo vxlan vtep-ip-global 10.10.10.10 | Configure the source Vtep-ip. |
(config)#nvo vxlan id 16777215 ingress-replication inner-vid-disabled | Configure Vxlan Network identifier with/without inner-vid-disabled configure and enter Vxlan tenant mode. |
(config-nvo)#vxlan host-reachability-protocol evpn-bgp vrf12345 | Assign VRF for evpn-bgp to carry evpn route. |
(config-nvo)#exit | Exit Vxlan tenant mode. |
(config)#nvo vxlan access-if port-vlan ce31/1 3 | Enable port-vlan mapping i.e. access port to outer-vlan (SVLAN) mapping. |
(config-nvo-acc-if)#map vnid 16777215 | Map Vxlan Identifier to access-port. |
(config-nvo-acc-if)#exit | Exit Vxlan access-interface mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
RTR2
#configure terminal | Enter configure mode. |
(config)#bridge 32 protocol ieee vlan-bridge | Configure the ieee vlan-bridge with Id 32. |
(config)#vlan 2-5 bridge 32 | Configure the vlans 2-5 for the configured bridge Id 32. |
(config)#interface xe17 | Enter interface mode for xe17. |
(config-if)#ip address 20.20.20.1/31 | Assign IP address 20.20.20.1 in /31 mask. |
(config-if)#exit | Exit interface mode. |
(config)#interface xe18 | Enter interface mode for xe18. |
(config-if)#switchport | Make it L2 interface . |
(config-if)#bridge-group 32 | Associate the bridge-group 32 to the interface. |
(config-if)#switchport mode hybrid | Configure the Hybrid mode. |
(config-if)#switchport hybrid allowed vlan add 4 egress-tagged enable | Configure hybrid allowed vlan add 4 to support the created vlan in the L2 Bridge. |
(config-if)#exit | Exit interface mode. |
(config)#interface xe33 | Enter interface mode for xe33. |
(config-if)#ip address 30.30.30.0/31 | Assign IP address 30.30.30.0 in /31 mask. |
(config-if)#exit | Exit interface mode. |
(config)#interface xe34 | Enter interface mode for xe34. |
(config-if)#switchport | Make it L2 interface. |
(config-if)#bridge-group 32 | Associate the bridge-group 32 to the interface. |
(config-if)#switchport mode hybrid | Configure the Hybrid mode. |
(config-if)#switchport hybrid allowed vlan add 4 egress-tagged enable | Configure hybrid allowed vlan add 4 to support the created vlan in the L2 Bridge. |
(config-if)#exit | Exit interface mode. |
(config)#router bgp 64513 | Enter BGP router mode. |
(config-router)# bgp router-id 2.2.2.2 | Assign BGP router ID |
(config-router)#neighbor 20.20.20.0 remote-as 64512 | Specify a neighbor router with peer ip address and remote-as defined. |
(config-router)#neighbor 30.30.30.1 remote-as 64514 | Specify a neighbor router with peer ip address and remote-as defined. |
(config-router)#address-family l2vpn evpn | Enter l2vpn address family mode. |
(config-router-af)#neighbor 20.20.20.0 activate | Activate the peer into address family mode. |
(config-router-af)#neighbor 30.30.30.1 activate | Activate the peer into address family mode. |
(config-router-af)#exit-address-family | Exit l2vpn address family mode. |
(config-router)#exit | Exit BGP router mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
RTR3/VTEP2
#configure terminal | Enter configure mode. |
(config)#interface lo | Enter interface mode for loopback. |
(config-if)#ip address 40.40.40.40/32 secondary | Assign secondary IP address. |
(config-if)#exit | Exit interface mode. |
(config)#mac vrf vrf12345 | Create mac routing/forwarding instance with vrf12345 name and enter VRF mode. |
(config-vrf)#rd 2.2.2.2:2 | Assign Rd value. |
(config-vrf)#route-target both 10.10.10.10:10 | Assign route-target both value. |
(config-vrf)#exit | Exit VRF configuration mode. |
(config)#bridge 32 protocol ieee vlan-bridge | Configure the ieee vlan-bridge with Id 32. |
(config)#vlan 2-5 bridge 32 | Configure the vlans 2-5 for the configured bridge Id 32. |
(config)#interface xe 49/1 | Enter interface mode for xe49/1. |
(config-if)#ip address 30.30.30.1/31 | Assign Ip address 30.30.30.1 in /31 mask. |
(config-if)#exit | Exit interface mode. |
(config)#interface xe49/2 | Enter interface mode for xe49/2. |
(config-if)#switchport | Make it L2 interface . |
(config-if)#bridge-group 32 | Associate the bridge-group 32 to the interface. |
(config-if)#switchport mode hybrid | Configure the Hybrid mode. |
(config-if)#switchport hybrid allowed vlan add 4 egress-tagged enable | Configure hybrid allowed vlan add 4 to support the created vlan in the L2 Bridge. |
(config-if)#exit | Exit interface mode. |
(config)#interface xe1 | Enter interface mode for xe1. |
(config-if)#switchport | Make it L2 interface . |
(config-if)#bridge-group 32 | Associate the bridge-group 32 to the interface. |
(config-if)#switchport mode hybrid | Configure the Hybrid mode. |
(config-if)#switchport hybrid allowed vlan add 4 egress-tagged enable | Configure hybrid allowed vlan add 4 to support the created vlan in the L2 Bridge. |
(config-if)#exit | Exit interface mode. |
(config)#router bgp 64514 | Enter BGP router mode. |
(config-router)# bgp router-id 3.3.3.3 | Assign BGP router ID |
(config-router)#neighbor 30.30.30.0 remote-as 64513 | Specify a neighbor router with peer IP address and remote-as defined. |
(config-router)#address-family ipv4 unicast | Enter into ipv4 unicast address family |
(config-router-af)#network 40.40.40.40/32 | Advertise loopback network into BGP for VTEP ID reachability |
(config-router-af)#exit-address-family | Exit ipv4 unicast address family mode |
(config-router)#address-family l2vpn evpn | Enter l2vpn address family mode. |
(config-router-af)#neighbor 30.30.30.0 activate | Activate the peer into address family mode. |
(config-router-af)#exit-address-family | Exit l2vpn address family mode. |
(config-router)#exit | Exit BGP router mode. |
(config)# hardware-profile filter vxlan enable | Enable hardware profile for vxlan |
(config)#hardware-profile statistics ac-lif enable | Enable ac-lif for VxLAN access-if port counters |
(config)#nvo vxlan enable | Enable Vxlan. |
(config)#nvo vxlan vtep-ip-global 40.40.40.40 | Configure the source Vtep-ip. |
(config)#nvo vxlan id 16777215 ingress-replication inner-vid-disabled | Configure Vxlan Network identifier with/without inner-vid-disabled configure and enter Vxlan tenant mode. |
(config-nvo)#vxlan host-reachability-protocol evpn-bgp vrf12345 | Assign VRF for evpn-bgp to carry evpn route. |
(config-nvo)#exit | Exit Vxlan tenant mode. |
(config)#nvo vxlan access-if port-vlan xe1 3 | Enable port-vlan mapping i.e. access port to outer-vlan (SVLAN) mapping. |
(config-nvo-acc-if)#map vnid 16777215 | Map Vxlan Identifier to access-port. |
(config-nvo-acc-if)#exit | Exit Vxlan access-interface mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
Validation
VTEP1
#show running-config nvo vxlan
!
nvo vxlan enable
!
nvo vxlan vtep-ip-global 10.10.10.10
!
nvo vxlan id 16777215 ingress-replication inner-vid-disabled
vxlan host-reachability-protocol evpn-bgp vrf12345
!
nvo vxlan access-if port-vlan ce31/1 3
map vnid 16777215
!
VTEP1#show nvo vxlan
VXLAN Information
=================
Codes: NW - Network Port
AC - Access Port
(u) - Untagged
VNID VNI-Name VNI-Type Type Interface ESI VLAN DF-Status Src-Addr Dst-Addr
_______________________________________________________________________________________________________________________________
16777215 ---- L2 NW ---- ------ ---- ---- 10.10.10.10 40.40.40.40
16777215 ---- -- AC ce31/1 --- Single Homed Port --- 3 ---- ---- ----
Total number of entries are 2
VTEP1#show nvo vxlan vnid 16777215
VXLAN Information
=================
Codes: NW - Network Port
AC - Access Port
(u) - Untagged
VNID VNI-Name VNI-Type Type Interface ESI VLAN DF-Status Src-Addr Dst-Addr
_______________________________________________________________________________________________________________________________
16777215 ---- L2 NW ---- ------ ---- ---- 10.10.10.10 40.40.40.40
16777215 ---- -- AC ce31/1 --- Single Homed Port --- 3 ---- ---- ----
Total number of entries are 2!
VTEP1#show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2,
ia - IS-IS inter area, E - EVPN,
v - vrf leaked
* - candidate default
IP Route Table for VRF "default"
C 10.10.10.10/32 is directly connected, lo, 01:15:55
C 20.20.20.0/31 is directly connected, xe10/1, 01:07:53
B 40.40.40.40/32 [20/0] via 20.20.20.1, xe10/1, 00:42:54
C 127.0.0.0/8 is directly connected, lo, 1d05h02m
Gateway of last resort is not set
VTEP1#show nvo vxlan tunnel
VXLAN Network tunnel Entries
Source Destination Status Up/Down Update
================================================================================
33.33.33.0 34.34.34.0 Installed 00:26:27 00:26:27
Total number of entries are 1
VTEP1#show bgp l2vpn evpn summary
BGP router identifier 10.10.10.2, local AS number 64512
BGP table version is 10
2 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcv MsgSen TblVer InQ OutQ Up/Down State/PfxRcd AD MACIP MCAST ESI PREFIX-ROUTE
20.20.20.1 4 64513 108 109 10 0 0 00:48:14 3 0 2 1 0 0
Total number of neighbors 1
Total number of Established sessions 1
VTEP1#show bgp l2vpn evpn
BGP table version is 4, local router ID is 10.10.10.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
l - labeled, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
[EVPN route type]:[ESI]:[VNID]:[relevent route informantion]
1 - Ethernet Auto-discovery Route
2 - MAC/IP Route
3 - Inclusive Multicast Route
4 - Ethernet Segment Route
5 - Prefix Route
Network Next Hop Metric LocPrf Weight Path Peer Encap
RD[1.1.1.1:1] VRF[vrf12345]:
* [2]:[0]:[16777215]:[48,0000.0744.4433]:[0]:[16777215]
40.40.40.40 0 100 0 64513 64514 i 20.20.20.1 VXLAN
*> [2]:[0]:[16777215]:[48,0000.2222.2222]:[0]:[16777215]
10.10.10.10 0 100 32768 i ---------- VXLAN
*> [3]:[16777215]:[32,10.10.10.10]
10.10.10.10 0 100 32768 i ---------- VXLAN
* [3]:[16777215]:[32,40.40.40.40]
40.40.40.40 0 100 0 64513 64514 i 20.20.20.1 VXLAN
RD[2.2.2.2:2]
*> [2]:[0]:[16777215]:[48,0000.0744.4433]:[0]:[16777215]
40.40.40.40 0 100 0 64513 64514 i 20.20.20.1 VXLAN
*> [3]:[16777215]:[32,40.40.40.40]
40.40.40.40 0 100 0 64513 64514 i 20.20.20.1 VXLAN
Total number of prefixes 6
VTEP1#show nvo vxlan mac-table
=====================================================================================================================================================
VXLAN MAC Entries
=====================================================================================================================================================
VNID Interface VlanId Inner-VlanId Mac-Addr VTEP-Ip/ESI Type Status AccessPortDesc
_____________________________________________________________________________________________________________________________________________________
16777215 ce31/1 3 ---- 0000.2222.2222 10.10.10.10 Dynamic Local ------- -------
16777215 ---- ---- ---- 0000.0744.4433 40.40.40.40 Dynamic Remote ------- -------
Total number of entries are : 2
VTEP1#show nvo vxlan arp-cache
VXLAN ARP-CACHE Information
===========================
VNID Ip-Addr Mac-Addr Type Age-Out Retries-Left
____________________________________________________________________________
Total number of entries are 0
#show vlan brief
Bridge VLAN ID Name State H/W Status Member ports
(u)-Untagged, (t)-Tagged
======= ======= ================ ======= ========== ==========================
32 1 default ACTIVE Success ce25/2(u) ce31/1(u)
32 2 VLAN0002 ACTIVE Success
32 3 VLAN0003 ACTIVE Success
32 4 VLAN0004 ACTIVE Success ce25/2(t) ce31/1(t)
32 5 VLAN0005 ACTIVE Success
RTR2
RTR2#show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2,
ia - IS-IS inter area, E - EVPN,
v - vrf leaked
* - candidate default
IP Route Table for VRF "default"
B 10.10.10.10/32 [20/0] via 20.20.20.0, xe17, 00:29:48
C 20.20.20.0/31 is directly connected, xe17, 02:33:29
C 30.30.30.0/31 is directly connected, xe33, 02:31:56
B 40.40.40.40/32 [20/0] via 30.30.30.1, xe33, 02:23:26
C 127.0.0.0/8 is directly connected, lo, 21:17:41
Gateway of last resort is not set
RTR2#show bgp l2vpn evpn summary
BGP router identifier 11.11.11.1, local AS number 64513
BGP table version is 10
2 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcv MsgSen TblVer InQ OutQ Up/Down State/PfxRcd AD MACIP MCAST ESI PREFIX-ROUTE
20.20.20.0 4 64512 111 112 10 0 0 00:49:36 3 0 2 1 0 0
30.30.30.1 4 64514 101 103 10 0 0 00:45:10 3 0 2 1 0 0
Total number of neighbors 2
Total number of Established sessions 2
VTEP2
VTEP2#show running-config nvo vxlan
!
nvo vxlan enable
!
nvo vxlan vtep-ip-global 40.40.40.40
!
nvo vxlan id 16777215 ingress-replication inner-vid-disabled
vxlan host-reachability-protocol evpn-bgp vrf12345
!
nvo vxlan access-if port-vlan xe1 3
map vnid 16777215
!
VTEP2#show nvo vxlan
VXLAN Information
=================
Codes: NW - Network Port
AC - Access Port
(u) - Untagged
VNID VNI-Name VNI-Type Type Interface ESI VLAN DF-Status Src-Addr Dst-Addr
_______________________________________________________________________________________________________________________________
16777215 ---- L2 NW ---- ------ ---- ---- 40.40.40.40 10.10.10.10
16777215 ---- -- AC xe1 --- Single Homed Port --- 3 ---- ---- ----
Total number of entries are 2
VTEP2#show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2,
ia - IS-IS inter area, E - EVPN,
v - vrf leaked
* - candidate default
IP Route Table for VRF "default"
B 10.10.10.10/32 [20/0] via 30.30.30.0, xe11/1, 00:27:32
C 30.30.30.0/31 is directly connected, xe11/1, 00:30:00
C 40.40.40.40/32 is directly connected, lo, 00:31:00
C 127.0.0.0/8 is directly connected, lo, 06:25:00
Gateway of last resort is not set
VTEP2#show nvo vxlan tunnel
VXLAN Network tunnel Entries
Source Destination Status Up/Down Update
====================================================================================
40.40.40.40 10.10.10.10 Installed 00:14:40 00:14:40
Total number of entries are 1
VTEP2#show bgp l2vpn evpn summary
BGP router identifier 33.33.33.33, local AS number 64514
BGP table version is 8
2 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcv MsgSen TblVer InQ OutQ Up/Down State/PfxRcd AD MACIP MCAST ESI PREFIX-ROUTE
30.30.30.0 4 64513 267 270 8 0 0 02:09:07 2 0 1 1 0 0
Total number of neighbors 1
Total number of Established sessions 1
VTEP2#show bgp l2vpn evpn
BGP table version is 8, local router ID is 40.40.40.40
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
l - labeled, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
[EVPN route type]:[ESI]:[VNID]:[relevent route informantion]
1 - Ethernet Auto-discovery Route
2 - MAC/IP Route
3 - Inclusive Multicast Route
4 - Ethernet Segment Route
5 - Prefix Route
Network Next Hop Metric LocPrf Weight Path Peer Encap
RD[1.1.1.1:1]
*> [2]:[0]:[16777215]:[48,0000.2222.2222]:[0]:[16777215]
10.10.10.10 0 100 0 64513 64512 i 30.30.30.0 VXLAN
*> [3]:[16777215]:[32,10.10.10.10]
10.10.10.10 0 100 0 64513 64512 i 30.30.30.0 VXLAN
RD[2.2.2.2:2] VRF[vrf12345]:
*> [2]:[0]:[16777215]:[48,0000.0744.4433]:[0]:[16777215]
40.40.40.40 0 100 32768 i ---------- VXLAN
* [2]:[0]:[16777215]:[48,0000.2222.2222]:[0]:[16777215]
10.10.10.10 0 100 0 64513 64512 i 30.30.30.0 VXLAN
* [3]:[16777215]:[32,10.10.10.10]
10.10.10.10 0 100 0 64513 64512 i 30.30.30.0 VXLAN
*> [3]:[16777215]:[32,40.40.40.40]
40.40.40.40 0 100 32768 i ---------- VXLAN
Total number of prefixes 6
VTEP2#show nvo vxlan mac-table
=====================================================================================================================================================
VXLAN MAC Entries
=====================================================================================================================================================
VNID Interface VlanId Inner-VlanId Mac-Addr VTEP-Ip/ESI Type Status AccessPortDesc
_____________________________________________________________________________________________________________________________________________________
16777215 ---- ---- ---- 0000.2222.2222 10.10.10.10 Dynamic Remote ------- -------
16777215 xe1 3 ---- 0000.0744.4433 40.40.40.40 Dynamic Local ------- -------
Total number of entries are : 2
VTEP2#show vlan brief
Bridge VLAN ID Name State H/W Status Member ports
(u)-Untagged, (t)-Tagged
======= ======= ================ ======= ========== ==========================
32 1 default ACTIVE Success xe1(u) xe49/2(u)
32 2 VLAN0002 ACTIVE Success
32 3 VLAN0003 ACTIVE Success
32 4 VLAN0004 ACTIVE Success xe1(t) xe49/2(t)
32 5 VLAN0005 ACTIVE Success
VTEP2#