Asymmetric Vs Symmetric IRB :
- EVPN integrated Routing (IRB) has two options:
- asymmetric IRB
- symmetric IR
Asymmetric IRB
- Ingress VTEP does both L2 & L3 lookup
- Egress VTEP does L2 lookup only
- i.e Bridge - Route - Bridge
Symmetric IRB
- Ingress VTEP does both L2 & L3 lookup
- Egress VTEP does both L3 & L2 Lookup
- i.e Bridge-Route-Bridge
A----(L2)--SVI--(L3)---SVI-------(L3)-------SVI----(L2)------B
Asymmetric IRB issues
VTEP must have all VNIs configured that require routing , result is increased ARP Cache and CAM
sizes , i.e Control plane scaling issue .
VxLAN BGP EVPN With L3 VNIs :
install feature-set virtualization
install feature-set fabric
feature-set fabric
feature fabric forwarding
feature nv overlay evpn
feature ospf
feature bgp
feature pim
feature interface-vlan
feature nv overlay
feature vn-segment-vlan-based
vlan 11
vn-segment 11111
vlan 33
vn-segment 33333
vrf context CUSTOMER1
vni 33333
rd auto
address-family ipv4 unicast
route-target both auto
route-target both auto evpn
interface vlan 11
no shut
vrf member 11.0.0.0.254/24
fabric forwarding mode anycast-gateway
!
interface vlan 33
no shut
vrf member CUSTOMER1
ip forward
!
interface nve1
no shut
source-interface loopback0
host-reachability protocol bgp
member vni 11111
mcast-group 224.11.11.11
member vni 33333 associate-vrf
route-map PERMIT permit 10
!
router bgp 12345
neighbor 1.1.1.71
remote-as 12345
update-source loopback0
address-family l2vpn evpn
send-community both
!
neighbor 1.1.1.72
remote-as 12345
update-source loopback0
address-family l2vpn evpn
send-community both
!
vrf CUSTOMER1
evpn
vni 11111 l2
rd auto
route-target import auto
route-target export auto
vrf defalt
vPC & VxLAN
vPC & VxLAN BGP traffic Flow problems :
- Vxlan traffic is tunneled over the overlay network using the BGP next-hop address of the remote VTEP
- NVE source interface (i.e loopback 0 ) is the default BGP next-hop for advertised routes
- In a vPC , both vPC peers advertise duplicate EVPN MAC / IP routes to spine RRs.
- With other attributes equal , next-hop is tie breaker in BGP best path selection
- Implies that one vPC peer is always preferred for dual attached hosts.
- Result is the egress traffic from vPC Member is load balanced , but ingress traffic is polarized
- Workaround is to use Anycast VTEP address
vPC Anycast VTEP
vPC peers share duplicate ip address on NVE source interface
- Peer1 - interface loopback0 ; ip address 1.1.1.51/32
- Peer2 - interface loopback0 ; ip address 1.1.1.52/32
- Both peers - interface loopback0 ; ip address 1.1.1.111/32 secondary
BGP Next-hop is automatically set to secondary address for locally originated routes .
- i.e L2VPN EVPN MAC/IP routes for vPC Member ports
Nexus 5600 & NVE Peer-Link-vlan
- On nexus 5600 , all traffic across the vPC Peer Link must be Vxlan encapsulated due to ASIC implementation
- Normal vPC Peer Link is a classical ethernet trunk
- Result is that East/West flows over vPC Peer Link all broken by default
- i.e , the VNI number is lost when pkt is sent out peer link
- Peer Link is normally only used for orphans or in failure scenarios
- Result is that everything looks fine until the failure occures
- Traffic to orphans & single attached members black holed over vPC Peer Link
- Workaround is to maintain VxLan encapsulation across peer link
- implemented as "vpc nve peer-link-vlan"
Configuring NVE Peer-Link-Vlan
- Create new VLAN & Specify as NVE Peer Link VLAN ( vlan 999; vpc nve peer-link-vlan 999)
- Establish layer 3 peering across NVE peer link VLAN (interface vlan 999 ; ip router ospf 1 area 0 )
- Traffic engineering so other vPC Peer's VTEP loopback is preferred over vPC Peer link
- ip ospf cost 10
- isis metric 10 level-2
--------------------------------------ooooooooooooooo----------------------------------------------------
No comments:
Post a Comment