VxLAN-EVPN Symmetric IRB Support with Connected host
Overview
EVPN-IRB enables communication between two L2VNI's by employing Routing through IP-VRF. This functionality offers Host (/32) based Symmetric IRB support, directing inter-subnet traffic directly to the Host attached VTEP. To implement this, configure "evpn irb-advertise-host-route" within VNID (BGP type 2) settings, or "redistribute connected-host-routes" under BGP (BGP type 5) configurations.
Note:
• In VxLAN-EVPN Interface-less mode, only the 'redistribute connected-host-routes' command is supported. However, in Interface-full mode, both commands are supported.
• It is advisable to configure a route map in ESI configured Multi-Homed (MH) nodes to block Hosts from peer MH. This configuration is not required in non-ESI MH VTEPs.
Feature Characteristics
The preferred and recommended approach for AOS-CX VXLAN/EVPN Distributed L3 Gateways is Symmetric IRB. This implementation offers superior scalability by eliminating the need to manage MAC/ARP entries for both source and destination hosts, and it doesn't require configuring the same VLAN/VNI as in the case of Asymmetric IRB. These advantages facilitate simpler and more scalable deployments in both Data Center and Campus networks.
Benefits
The advantages of utilizing a VxLAN-EVPN Symmetric IRB Support:
• Routing is employed on both ingress and egress VTEPs.
• Bi-directional traffic follows a symmetric path, such as utilizing an L3 VNI per VRF.
• VTEPs are relieved from holding unnecessary ARP/MAC resources.
• Configuration of the destination VLAN/VNI on the source VTEP is unnecessary.
Configuration
Ensure that the VTEPs have a base configuration with Symmetric IRB settings. Then, initiate dynamic traffic from VTEP4 originating from the same subnet (53.1.X.XX/XXXX::XX) as the IRB interface. Typically, in EVPN, a single IP-VRF can accommodate multiple IRB interfaces. Each IRB interface corresponds to a VNI, and multiple VNIs can be associated with a MAC-VRF.
Topology
The procedures in this section use the topology in Figure 16-1
VxLAN EVPN IRB Connected host
Note: In the above topology TG1 is Multi homed Host and TG2 and TG3 are Single homed host with same subnet configured so there will be ECMP for 53 network in VTEP1 and VTEP2.
Base Configurations
Begin with a basic configuration that includes Symmetric IRB configurations on VTEPs, then initiate dynamic traffic transmission from VTEP4 within the same subnet (53.1.1.40/5301::40) as the IRB interface.
Validation
Verification before configuring evpn irb-advertise-host-route under VNID configurations or redistribute connected-host-routes under bgp.
In VTEP1:
VTEP1#show ip route vrf vxlan_l3_elan_mhsh
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2,
ia - IS-IS inter area, E - EVPN,
v - vrf leaked
* - candidate default
IP Route Table for VRF "vxlan_l3_elan_mhsh"
B 2.2.2.2/32 [0/0] is directly connected, tunvxlan3, 00:21:33
B 5.5.5.5/32 [0/0] is directly connected, tunvxlan3, 00:21:33
B 6.6.6.6/32 [0/0] is directly connected, tunvxlan3, 00:21:33
B 53.1.1.0/24 [200/0] via 6.6.6.6 (recursive is directly connected, tunvxlan3), 00:21:34
[200/0] via 5.5.5.5 (recursive is directly connected, tunvxlan3)
C 127.0.0.0/8 is directly connected, lo.vxlan_l3_elan_mhsh, 07:17:43
C 200.1.1.0/24 is directly connected, irb1604, 07:17:41
Gateway of last resort is not set
VTEP1#
VTEP1#show ipv6 route vrf vxlan_l3_elan_mhsh
IPv6 Routing Table
IP Route Table for VRF "vxlan_l3_elan_mhsh"
C ::1/128 via ::, lo.vxlan_l3_elan_mhsh, 07:18:01
B ::ffff:202:202/128 [0/0] via ::, tunvxlan3, 00:21:51
B ::ffff:505:505/128 [0/0] via ::, tunvxlan3, 00:21:51
B ::ffff:606:606/128 [0/0] via ::, tunvxlan3, 00:21:51
C 2000::/48 via ::, irb1604, 07:17:59
B 5301::/48 [200/0] via ::ffff:606:606 (recursive via ::, tunvxlan3), 00:21:52
[200/0] via ::ffff:505:505 (recursive via ::, tunvxlan3)
C fe80::/64 via ::, irb1604, 07:17:59
VTEP1#
In VTEP2:
VTEP2#show ip route vrf vxlan_l3_elan_mhsh
IP Route Table for VRF "vxlan_l3_elan_mhsh"
B 1.1.1.1/32 [0/0] is directly connected, tunvxlan3, 00:22:50
B 5.5.5.5/32 [0/0] is directly connected, tunvxlan3, 00:22:50
B 6.6.6.6/32 [0/0] is directly connected, tunvxlan3, 00:22:50
B 53.1.1.0/24 [200/0] via 6.6.6.6 (recursive is directly connected, tunvxlan3), 00:22:51
[200/0] via 5.5.5.5 (recursive is directly connected, tunvxlan3)
C 127.0.0.0/8 is directly connected, lo.vxlan_l3_elan_mhsh, 07:19:21
C 200.1.1.0/24 is directly connected, irb1604, 07:19:19
Gateway of last resort is not set
VTEP2#
VTEP2#
VTEP2#show ipv6 route vrf vxlan_l3_elan_mhsh
IPv6 Routing Table
IP Route Table for VRF "vxlan_l3_elan_mhsh"
C ::1/128 via ::, lo.vxlan_l3_elan_mhsh, 07:19:22
B ::ffff:101:101/128 [0/0] via ::, tunvxlan3, 00:22:51
B ::ffff:505:505/128 [0/0] via ::, tunvxlan3, 00:22:51
B ::ffff:606:606/128 [0/0] via ::, tunvxlan3, 00:22:51
C 2000::/48 via ::, irb1604, 07:19:20
B 5301::/48 [200/0] via ::ffff:606:606 (recursive via ::, tunvxlan3), 00:22:51
[200/0] via ::ffff:505:505 (recursive via ::, tunvxlan3)
C fe80::/64 via ::, irb1604, 07:19:20
VTEP2#
VTEP2#show bgp l2vpn evpn mac-ip | grep 0000:0053:0040
0 605 0000:0053:0040 -- 605 0 6.6.6.6 -- VxLAN
0 605 0000:0053:0040 53.1.1.40 605 0 6.6.6.6 -- VxLAN
0 605 0000:0053:0040 5301::40 605 0 6.6.6.6 -- VxLAN
VTEP2#
In VTEP4:
VTEP4#show bgp l2vpn evpn mac-ip | grep 0000:0053:0040
0 605 0000:0053:0040 -- 605 0 6.6.6.6 -- VxLAN
0 605 0000:0053:0040 53.1.1.40 605 0 6.6.6.6 -- VxLAN
0 605 0000:0053:0040 5301::40 605 0 6.6.6.6 -- VxLAN
VTEP4#
Evpn irb-advertise-host-route configuration
1. To enable the EVPN irb-advertise-host-route, execute the following command in the config mode.
(config)#nvo vxlan id 605 ingress-replication inner-vid-disabled
(config-nvo)#vxlan host-reachability-protocol evpn-bgp vxlan_l2_elan_sh2
(config-nvo)#evpn irb605
(config-nvo)#evpn irb-advertise-host-route
(config)#nvo vxlan id 605 ingress-replication inner-vid-disabled
(config-nvo)#vxlan host-reachability-protocol evpn-bgp vxlan_l2_elan_sh2
(config-nvo)#evpn irb605
(config-nvo)#evpn irb-advertise-host-route
2. To redistributed connected-host-routes, execute the following command.
(config)#nvo vxlan id 605 ingress-replication inner-vid-disabled
(config)#router bgp 1
(config-router)#address-family ipv4 vrf vxlan_l3_elan_sh
VTEP4(config-router-af)#redistribute connected-host-routes
(config)#nvo vxlan id 605 ingress-replication inner-vid-disabled
(config)#router bgp 1
(config-router)#address-family ipv4 vrf vxlan_l3_elan_sh
VTEP4(config-router-af)#redistribute connected-host-routes
Note: With static mac ip configured on vxlan access interface and when redistribute connected-host-routes is configured under bgp. Then routes will not be advertised as /32 or /128 because for static mac-ip Arp entry will not be present so only for dynamic routes.
Note: With redistribute connected-host-routes, show bgp l2vpn evpn mac-ip will not show the l3vnid.
Validation
Use this command to validate the VxLAN-EVPN Symmetric IRB.
In VTEP1:
VTEP1#show ip route vrf vxlan_l3_elan_mhsh
IP Route Table for VRF "vxlan_l3_elan_mhsh"
B 2.2.2.2/32 [0/0] is directly connected, tunvxlan3, 00:37:03
B 5.5.5.5/32 [0/0] is directly connected, tunvxlan3, 00:37:03
B 6.6.6.6/32 [0/0] is directly connected, tunvxlan3, 00:37:03
B 53.1.1.0/24 [200/0] via 6.6.6.6 (recursive is directly connected, tunvxlan3), 00:37:04
[200/0] via 5.5.5.5 (recursive is directly connected, tunvxlan3)
B 53.1.1.40/32 [200/0] via 6.6.6.6 (recursive is directly connected, tunvxlan3), 00:05:49
C 127.0.0.0/8 is directly connected, lo.vxlan_l3_elan_mhsh, 07:33:13
C 200.1.1.0/24 is directly connected, irb1604, 07:33:11
Gateway of last resort is not set
VTEP1#
VTEP1#show ipv6 route vrf vxlan_l3_elan_mhsh
IPv6 Routing Table
IP Route Table for VRF "vxlan_l3_elan_mhsh"
C ::1/128 via ::, lo.vxlan_l3_elan_mhsh, 07:33:21
B ::ffff:202:202/128 [0/0] via ::, tunvxlan3, 00:37:11
B ::ffff:505:505/128 [0/0] via ::, tunvxlan3, 00:37:11
B ::ffff:606:606/128 [0/0] via ::, tunvxlan3, 00:37:11
C 2000::/48 via ::, irb1604, 07:33:19
B 5301::/48 [200/0] via ::ffff:606:606 (recursive via ::, tunvxlan3), 00:37:12
[200/0] via ::ffff:505:505 (recursive via ::, tunvxlan3)
B 5301::40/128 [200/0] via ::ffff:606:606 (recursive via ::, tunvxlan3), 00:05:57
C fe80::/64 via ::, irb1604, 07:33:19
VTEP1#
VTEP1#show bgp l2vpn evpn mac-ip | grep 0000:0053:0040
0 605 0000:0053:0040 -- 605 0 6.6.6.6 -- VxLAN
0 605 0000:0053:0040 53.1.1.40 605 1604 6.6.6.6 -- VxLAN
0 605 0000:0053:0040 5301::40 605 1604 6.6.6.6 -- VxLAN
VTEP1#
In VTEP2:
VTEP2#show ip route vrf vxlan_l3_elan_mhsh
IP Route Table for VRF "vxlan_l3_elan_mhsh"
B 1.1.1.1/32 [0/0] is directly connected, tunvxlan3, 00:31:16
B 5.5.5.5/32 [0/0] is directly connected, tunvxlan3, 00:31:16
B 6.6.6.6/32 [0/0] is directly connected, tunvxlan3, 00:31:16
B 53.1.1.0/24 [200/0] via 6.6.6.6 (recursive is directly connected, tunvxlan3), 00:31:17
[200/0] via 5.5.5.5 (recursive is directly connected, tunvxlan3)
B 53.1.1.40/32 [200/0] via 6.6.6.6 (recursive is directly connected, tunvxlan3), 00:00:03
C 127.0.0.0/8 is directly connected, lo.vxlan_l3_elan_mhsh, 07:27:47
C 200.1.1.0/24 is directly connected, irb1604, 07:27:45
Gateway of last resort is not set
VTEP2#
VTEP2#show ipv6 route vrf vxlan_l3_elan_mhsh
IPv6 Routing Table
IP Route Table for VRF "vxlan_l3_elan_mhsh"
C ::1/128 via ::, lo.vxlan_l3_elan_mhsh, 07:27:54
B ::ffff:101:101/128 [0/0] via ::, tunvxlan3, 00:31:23
B ::ffff:505:505/128 [0/0] via ::, tunvxlan3, 00:31:23
B ::ffff:606:606/128 [0/0] via ::, tunvxlan3, 00:31:23
C 2000::/48 via ::, irb1604, 07:27:52
B 5301::/48 [200/0] via ::ffff:606:606 (recursive via ::, tunvxlan3), 00:31:23
[200/0] via ::ffff:505:505 (recursive via ::, tunvxlan3)
B 5301::40/128 [200/0] via ::ffff:606:606 (recursive via ::, tunvxlan3), 00:00:10
C fe80::/64 via ::, irb1604, 07:27:52
VTEP2#
VTEP2#show bgp l2vpn evpn mac-ip | grep 0000:0053:0040
0 605 0000:0053:0040 -- 605 0 6.6.6.6 -- VxLAN
0 605 0000:0053:0040 53.1.1.40 605 1604 6.6.6.6 -- VxLAN
0 605 0000:0053:0040 5301::40 605 1604 6.6.6.6 -- VxLAN
VTEP2#
In VTEP4:
VTEP4#show arp vrf vxlan_l3_elan_mhsh
Flags: D - Static Adjacencies attached to down interface
IP ARP Table for context vxlan_l3_elan_mhsh
Total number of entries: 1
Address Age MAC Address Interface State
1.1.1.1 - e8c5.7aa3.2cb0 tunvxlan3 PERMANENT
2.2.2.2 - e001.a657.ef01 tunvxlan3 PERMANENT
5.5.5.5 - 6cb9.c5b1.ab9c tunvxlan3 PERMANENT
53.1.1.40 00:02:57 0000.0053.0040 irb604 STALE
VTEP4#
VTEP4#show bgp l2vpn evpn mac-ip | grep 0000:0053:0040
0 605 0000:0053:0040 -- 605 0 6.6.6.6 -- VxLAN
0 605 0000:0053:0040 53.1.1.40 605 1604 6.6.6.6 -- VxLAN
0 605 0000:0053:0040 5301::40 605 1604 6.6.6.6 -- VxLAN
VTEP4#
Glossary
The following provides definitions for key terms or abbreviations and their meanings used throughout this document:
Key Terms/Acronym | Description |
|---|---|
ECMP | ECMP stands for Equal-Cost Multi-Path. It's a routing technique used in computer networks, particularly in IP-based routing protocols like OSPF (Open Shortest Path First) and BGP (Border Gateway Protocol). |
VTEPs | VTEP stands for VXLAN Tunnel Endpoint. It's a crucial component in network virtualization architectures, particularly in overlay networks using VXLAN (Virtual Extensible LAN) technology. |
ARP/MAC | ARP (Address Resolution Protocol) and MAC (Media Access Control) address are both essential components of networking, particularly in Ethernet-based networks. |
VLAN/VNI | VLAN (Virtual Local Area Network) and VNI (Virtual Network Identifier) are both technologies used in networking to segment and manage traffic within a larger network infrastructure. |