Aruba EVPN Configuration Guide

HPE FlexFabric 5940 & 5930 Switch Series

EVPN Configuration Guide

P

art number: 5200-4858c

Software

version: Release 2609 and later

Document version: 6W103-20200310

The information contained herein is subject to change without notice. The only warranties for Hewlett Packard

Enterprise products and services are set forth in the express warranty statements accompanying such

products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett

Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or

copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software

Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s

standard commercial license.

Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard

Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise

website.

Acknowledgments

Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the

United States and other countries.

Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the

United States and/or other countries.

Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.

Java and Oracle are registered trademarks of Oracle and/or its affiliates.

UNIX® is a registered trademark of The Open Group.

i

Contents

EVPN overview ······························································································ 1

EVPN network model ········································································································································· 1

Layered transport network ································································································································· 2

MP-BGP extension for EVPN····························································································································· 2

Configuration automation ··································································································································· 3

Assignment of traffic to VXLANs ························································································································ 3

Traffic from the local site to a remote site ·································································································· 3

Traffic from a remote site to the local site ·································································································· 4

Layer 2 forwarding ············································································································································· 4

MAC learning ············································································································································· 4

Unicast ······················································································································································· 4

Flood ·························································································································································· 6

Layer 3 forwarding ············································································································································· 6

Centralized EVPN gateway deployment ···································································································· 7

Distributed EVPN gateway deployment ····································································································· 7

RD and route target selection of BGP EVPN routes ························································································ 11

EVPN multihoming ··········································································································································· 12

Overview ·················································································································································· 12

DF election ··············································································································································· 13

Split horizon ············································································································································· 13

Redundancy mode ··································································································································· 14

IP aliasing ················································································································································· 14

EVPN multicast ················································································································································ 14

Multicast in single-homed sites ················································································································ 15

Multicast in multihomed sites ··················································································································· 15

ARP flood suppression····································································································································· 16

MAC mobility ···················································································································································· 17

EVPN distributed relay ····································································································································· 18

Configuring EVPN························································································ 20

Feature and hardware compatibility ················································································································· 20

Configuration restrictions and guidelines ········································································································· 20

VXLAN tunnel configuration restrictions and guidelines ·········································································· 20

EVPN gateway configuration restrictions and guidelines ········································································· 20

EVPN configuration task list ····························································································································· 21

Setting the VXLAN hardware resource mode ·································································································· 22

Overview ·················································································································································· 22

Configuration restrictions and guidelines ································································································· 22

Configuration procedure ··························································································································· 22

Creating a VXLAN on a VSI ····························································································································· 22

Configuring an EVPN instance ························································································································ 23

Configuring EVPN multihoming························································································································ 24

Configuration restrictions and guidelines ································································································· 24

Assigning an ESI to an interface ·············································································································· 24

Setting the DF election delay ··················································································································· 24

Disabling advertisement of EVPN multihoming routes············································································· 25

Configuring BGP to advertise BGP EVPN routes ···························································································· 25

Mapping ACs to a VSI ······································································································································ 27

Mapping a static Ethernet service instance to a VSI ················································································ 27

Mapping dynamic Ethernet service instances to VSIs ············································································· 28

Configuring a centralized EVPN gateway ········································································································ 29

Configuration restrictions and guidelines ································································································· 29

Configuration procedure ··························································································································· 29

Configuring a distributed EVPN gateway ········································································································· 30

Configuration restrictions and guidelines ································································································· 30

Configuration prerequisites ······················································································································ 30

Configuring a VSI interface ······················································································································ 30

ii

Configuring an L3 VXLAN ID for a VSI interface······················································································ 31

Configuring IP prefix route advertisement ································································································ 33

Disabling generation of IP prefix advertisement routes for the subnets of a VSI interface ······················ 34

Managing remote MAC address entries and remote ARP or ND learning ······················································· 35

Disabling remote MAC address learning and remote ARP or ND learning ·············································· 35

Disabling MAC address advertisement ···································································································· 35

Disabling learning of MAC addresses from ARP or ND information ························································ 36

Disabling ARP information advertisement ································································································ 36

Enabling conversational learning for forwarding entries ·················································································· 37

Overview ·················································································································································· 37

Configuration restrictions and guidelines ································································································· 37

Enabling conversational learning for remote MAC address entries ························································· 37

Enabling conversational learning for host route FIB entries····································································· 37

Enabling BGP EVPN route advertisement to the local site ·············································································· 38

Confining floods to the local site ······················································································································ 38

Enabling ARP flood suppression······················································································································ 39

Enabling packet statistics for automatically created VXLAN tunnels ······························································· 39

Configuring EVPN distributed relay ················································································································· 40

Overview ·················································································································································· 40

Configuration restrictions and guidelines ································································································· 40

Configuration prerequisites ······················································································································ 41

Configuration procedure ··························································································································· 41

Displaying and maintaining EVPN ··················································································································· 41

EVPN configuration examples ························································································································· 42

Centralized IPv4 EVPN gateway configuration example ········································································· 42

Distributed IPv4 EVPN gateway configuration example ·········································································· 51

Distributed IPv6 EVPN gateway configuration example ·········································································· 60

IPv4 EVPN distributed relay configuration example (Ethernet aggregate link as IPL) ····························· 71

IPv4 EVPN distributed relay configuration example (VXLAN tunnel as IPL) ··········································· 81

IPv4 EVPN multihoming configuration example ······················································································· 93

EVPN multicast configuration example ·································································································· 104

Configuring EVPN-DCI ·············································································· 112

Overview ························································································································································ 112

EVPN-DCI network model ······················································································································ 112

Working mechanisms ····························································································································· 112

EVPN-DCI dual-homing ························································································································· 112

Feature and hardware compatibility ··············································································································· 113

EVPN-DCI configuration task list ··················································································································· 113

Configuration prerequisites ···························································································································· 114

Enabling DCI ·················································································································································· 114

Enabling route nexthop replacement and route router MAC replacement ····················································· 114

Configuring VXLAN mapping ························································································································· 115

Overview ················································································································································ 115

Configuration restrictions and guidelines ······························································································· 116

Configuration procedure ························································································································· 116

Configuring EVPN-DCI dual-homing ·············································································································· 116

Overview ················································································································································ 116

Configuration restrictions and guidelines ······························································································· 116

Configuration procedure ························································································································· 116

EVPN-DCI configuration examples ················································································································ 117

Basic EVPN-DCI configuration example ································································································ 117

EVPN-DCI intermediate VXLAN mapping configuration example ························································· 122

EVPN-DCI IPv4 Layer 3 communication configuration example ··························································· 128

EVPN-DCI IPv6 Layer 3 communication configuration example ··························································· 134

EVPN-DCI dual-homing configuration example ····················································································· 141

Document conventions and icons ······························································ 152

Conventions ··················································································································································· 152

Network topology icons ·································································································································· 153

iii

Support and other resources ····································································· 154

Accessing Hewlett Packard Enterprise Support····························································································· 154

Accessing updates ········································································································································· 154

Websites ················································································································································ 155

Customer self repair ······························································································································· 155

Remote support ······································································································································ 155

Documentation feedback ······················································································································· 155

Index ·········································································································· 157

1

EVPN overview

Ethernet Virtual Private Network (EVPN) is a Layer 2 VPN technology that provides both Layer 2 and

Layer 3 connectivity between distant network sites across an IP network. EVPN uses MP-BGP in the

control plane and VXLAN in the data plane. EVPN is typically used in data centers for multitenant

services.

EVPN provides the following benefits:

•

Configuration automation—MP-BGP automates VTEP discovery, VXLAN tunnel

establishment, and VXLAN tunnel assignment to ease deployment.

•

Separation of the control plane and the data plane—EVPN uses MP-BGP to advertise host

reachability information in the control plane and uses VXLAN to forward traffic in the data plane.

•

Integrated routing and bridging (IRB)—MP-BGP advertises both Layer 2 and Layer 3 host

reachability information to provide optimal forwarding paths and minimize flooding.

EVPN network model

As shown in Figure 1, EVPN uses the VXLAN technology for traffic forwarding in the data plane. The

transport edge devices assign VMs to different VXLANs, and then forward traffic between sites for

VMs by using VXLAN tunnels. The transport edge devices are VXLAN tunnel endpoints (VTEPs).

They can be servers that host VMs or independent network devices.

A VTEP uses ESs, VSIs, and VXLAN tunnels to provide VXLAN services:

•

Ethernet segment (ES)—An ES is a link that connects a site to a VTEP. Each ES is uniquely

identified by an Ethernet segment identifier (ESI).

•

VSI—A virtual switch instance is a virtual Layer 2 switched domain. Each VSI provides

switching services only for one VXLAN. VSIs learn MAC addresses and forward frames

independently of one another. VMs in different sites have Layer 2 connectivity if they are in the

same VXLAN. A VXLAN is identified by a 24-bit VXLAN ID which is also called the virtual

network identifier (VNI). A VXLAN corresponds to an EVPN instance.

•

VXLAN tunnel—A VXLAN tunnel is a logical point-to-point tunnel between VTEPs over the

transport network. Each VXLAN tunnel can trunk multiple VXLANs.

All VXLAN processing is performed on VTEPs. The ingress VTEP encapsulates VXLAN traffic in the

VXLAN, outer UDP, and outer IP headers, and forwards the traffic through VXLAN tunnels. The

egress VTEP removes the VXLAN encapsulation and forwards the traffic to the destination.

Transport network devices (for example, the P device in Figure 1) forward VXLAN traffic only based

on the outer IP header of VXLAN packets.

2

Figure 1 EVPN network model

Layered transport network

As shown in Figure 2, typically the EVPN transport network uses a layered structure. On the

transport network, leaf nodes act as VTEPs to provide VXLAN services, and spine nodes perform

forwarding for VXLAN traffic based on the outer IP header. If all VTEPs and transport network

devices of an EVPN network belong to the same AS, the spine nodes can act as route reflectors

(RRs) to reflect routes between the VTEPs. In this scenario, the spine nodes advertise and receive

BGP EVPN routes, but do not perform VXLAN encapsulation and de-encapsulation.

Figure 2 Layered transport network

MP-BGP extension for EVPN

To support EVPN, MP-BGP introduces the EVPN subsequent address family under the L2VPN

address family and the following network layer reachability information (BGP EVPN routes):

•

Ethernet auto-discovery route—Advertises ES information in multihomed sites.

•

MAC/IP advertisement route—Advertises MAC reachability information and host route

information (host ARP or ND information).

VXLAN tunnel

VTEP

Server Server

Site 1 Site 2

VM

VSI/VXLAN 10

VSI/VXLAN 20

VSI/VXLAN 30

VM

VSI/VXLAN 10

VSI/VXLAN 20

VSI/VXLAN 30

Transport

network

P

ES ES

VTEP

Server Server

Site 1 Site 2

Transport

network

VTEP

RR RR

Leaf

Spine

3

•

Inclusive multicast Ethernet tag (IMET) route—Advertises VTEP and VXLAN mappings for

automating VTEP discovery, VXLAN tunnel establishment, and VXLAN tunnel assignment.

•

Ethernet segment route—Advertises ES and VTEP mappings.

•

IP prefix advertisement route—Advertises BGP IPv4 or IPv6 unicast routes as IP prefixes.

•

Selective multicast Ethernet tag (SMET) route—Advertises IGMP multicast group

information among VTEPs in an EVPN network. A VTEP advertises an SMET route only when

receiving a membership report for an IGMP multicast group for the first time. The VTEP does

not advertise an SMET route if subsequent membership reports for the multicast group use the

same IGMP version as the first membership report.

•

IGMP join synch route—Advertises IGMP membership reports among redundant VTEPs for

an ES.

•

IGMP leave synch route—Advertises IGMP leave group messages for withdrawal of IGMP

join synch routes among redundant VTEPs for an ES.

MP-BGP uses the route distinguisher (RD) field to differentiate BGP EVPN routes of different

VXLANs and uses route targets to control the advertisement and acceptance of BGP EVPN routes.

MP-BGP supports the following types of route targets:

•

Export targets—A VTEP sets the export targets for BGP EVPN routes learned from the local

site before advertising them to remote VTEPs.

•

Import targets—A VTEP checks the export targets of BGP EVPN routes received from remote

VTEPs. The VTEP imports the BGP EVPN routes only when their export targets match the local

import targets.

Configuration automation

VTEPs use BGP EVPN routes to discover VTEP neighbors, establish VXLAN tunnels, and assign

the tunnels to VXLANs.

•

IMET route—VTEPs advertise their VXLAN IDs through IMET routes. If two VTEPs have the

same VXLAN ID, they automatically establish a VXLAN tunnel and assign the tunnel to the

VXLAN.

•

MAC/IP advertisement route and IP prefix advertisement route—In the EVPN gateway

deployment, VTEPs advertise MAC/IP advertisement routes or IP prefix advertisement routes

which carry export targets. When a VTEP receives a route, it compares the export targets of the

route with the local import targets. If the route targets match, the VTEP establishes a VXLAN

tunnel with the remote VTEP and associates the tunnel with the L3 VXLAN ID of the

corresponding VPN instance. For more information about the L3 VXLAN ID, see "Distributed

EVPN gateway deployment."

Assignment of traffic to VXLANs

Traffic from the local site to a remote site

The VTEP uses an Ethernet service instance to match customer traffic on a site-facing interface. The

VTEP assigns customer traffic to a VXLAN by mapping the Ethernet service instance to a VSI.

An Ethernet service instance is identical to an attachment circuit (AC) in L2VPN. An Ethernet service

instance matches a list of VLANs on a Layer 2 Ethernet interface by using a frame match criterion.

The frame match criterion specifies the characteristics of traffic from the VLANs, such as tagging

status and VLAN IDs.

As shown in Figure 3, Ethernet service instance 1 matches VLAN 2 and is mapped to VSI A (VXLAN

10). When a frame from VLAN 2 arrives, the VTEP assigns the frame to VXLAN 10 and looks up VSI

A's MAC address table for the outgoing interface.

4

Figure 3 Identifying traffic from the local site

Traffic from a remote site to the local site

When a VXLAN packet arrives at a VXLAN tunnel interface, the VTEP uses the VXLAN ID in the

packet to identify its VXLAN.

Layer 2 forwarding

MAC learning

The VTEP performs Layer 2 forwarding based on a VSI's MAC address table. The VTEP learns MAC

addresses by using the following methods:

•

Local MAC learning—The VTEP automatically learns the source MAC addresses of frames

sent from the local site. The outgoing interfaces of local MAC address entries are site-facing

interfaces on which the MAC addresses are learned.

•

Remote MAC learning—The VTEP uses MP-BGP to advertise local MAC reachability

information to remote sites and learn MAC reachability information from remote sites. The

outgoing interfaces of MAC address entries advertised from a remote site are VXLAN tunnel

interfaces.

Unicast

As shown in Figure 4, the VTEP performs typical Layer 2 forwarding for known unicast traffic within

the local site.

Server

Service instance 1:

VLAN 2 VSI A

VXLAN 10

VLAN 2

VM 1

VM 2

VM 3

Service instance 2:

VLAN 3

Service instance 3:

VLAN 4

VLAN 3

VLAN 4

VSI B

VXLAN 20

VSI C

VXLAN 30

VTEP

5

Figure 4 Intra-site unicast

As shown in Figure 5, the following process applies to a known unicast frame between sites:

1. The source VTEP encapsulates the Ethernet frame in the VXLAN/UDP/IP header.

In the outer IP header, the source IP address is the source VTEP's VXLAN tunnel source IP

address. The destination IP address is the VXLAN tunnel destination IP address.

2. The source VTEP forwards the encapsulated packet out of the outgoing VXLAN tunnel

interface found in the VSI's MAC address table.

3. The intermediate transport devices (P devices) forward the packet to the destination VTEP by

using the outer IP header.

4. The destination VTEP removes the headers on top of the inner Ethernet frame. It then performs

MAC address table lookup in the VXLAN's VSI to forward the frame out of the matching

outgoing interface.

Figure 5 Inter-site unicast

VXLAN tunnel

VTEP 1 VTEP 2

Transport

network

P

Server 1

VM 1

VM 2

VM 3

Server 3

VM 7

VM 8

VM 9

MAC table on VTEP 1

VXLAN/VSI MAC Interface

VXLAN 10/VSI A MAC 1Interface A, VLAN 2

VXLAN 10/VSI A MAC 4 Interface B, VLAN 3

Server 2

VM 4

VM 5

VM 6

Interface A

Interface B

VTEP 1 VTEP 2

Transport

network

P

Server 1

VM 1

VM 2

VM 3

Server 3

VM 7

VM 8

VM 9

MAC table on VTEP 1

VXLAN/VSI MAC Interface

VXLAN 10/VSI A MAC 1 Interface A, VLAN 2

VXLAN 10/VSI A MAC 7 Tunnel 1

Server 2

VM 4

VM 5

VM 6

Interface A

Interface B

MAC table on VTEP 2

VXLAN/VSI MAC Interface

VXLAN 10/VSI A MAC 1 Tunnel 1

VXLAN 10/VSI A MAC 7 Interface A, VLAN 3

Interface A

VXLAN tunnel 1

6

Flood

As shown in Figure 6, a VTEP floods a broadcast, multicast, or unknown unicast frame to all

site-facing interfaces and VXLAN tunnels in the VXLAN, except for the incoming interface. The

source VTEP replicates the flood frame, and then sends one replica to the destination IP address of

each VXLAN tunnel in the VXLAN. Each destination VTEP floods the inner Ethernet frame to all the

site-facing interfaces in the VXLAN. To avoid loops, the destination VTEPs do not flood the frame to

VXLAN tunnels.

Figure 6 Forwarding of flood traffic

Layer 3 forwarding

EVPN uses EVPN gateways to provide Layer 3 forwarding services for hosts in VXLANs. EVPN

provides the following EVPN gateway placement designs:

•

Centralized EVPN gateway deployment—Uses one VTEP to provide Layer 3 forwarding for

VXLANs. Typically, the gateway-collocated VTEP connects to other VTEPs and the external

network. To use this design, make sure the gateway has sufficient bandwidth and processing

capability.

•

Distributed EVPN gateway deployment—Deploys one EVPN gateway on each VTEP to

provide Layer 3 forwarding for VXLANs at their respective sites. This design distributes the

Layer 3 traffic load across VTEPs. However, its configuration is more complex than the

centralized EVPN gateway design.

In either design, the gateways use virtual Layer 3 VSI interfaces as gateway interfaces for VXLANs.

NOTE:

A

centralized EVPN gateway can provide services only for IPv4 sites. A

distributed EVPN gateway

can provide services for both IPv4 sites and IPv6 sites.

This section uses IPv4

sites as examples to

describe the Layer 3 forwarding process of EVPN networks.

VTEP 1 VTEP 2

Transport network

P

Server 1

VM 1

VM 2

VM 3

Server 3

VM 7

VM 8

VM 9

Server 2

VM 4

VM 5

VM 6

VXLAN tunnel

VTEP 3

VXLAN tunnel

Server 4

VM 10

VM 11

VM 12

Replicate and

encapsulate

7

Centralized EVPN gateway deployment

As shown in Figure 7, a VTEP acts as a gateway for VMs in the VXLANs. The VTEP both terminates

the VXLANs and performs Layer 3 forwarding for the VMs. The network uses the following process

to forward Layer 3 traffic from a VM to the destination:

1. The VM sends an ARP request to obtain the MAC address of the VSI interface that acts as the

gateway, and then sends the Layer 3 traffic to the centralized EVPN gateway.

2. The local VTEP looks up the matching VSI's MAC address table and forwards the traffic to the

centralized EVPN gateway through a VXLAN tunnel.

3. The centralized EVPN gateway removes the VXLAN encapsulation and forwards the traffic at

Layer 3.

4. The centralized EVPN gateway forwards the replies sent by the destination node to the VM

based on the ARP entry for the VM.

Figure 7 Example of centralized EVPN gateway deployment

Distributed EVPN gateway deployment

As shown in Figure 8, each site's VTEP acts as a gateway to perform Layer 3 forwarding for the

VXLANs of the local site. A VTEP acts as a border gateway to the Layer 3 network for the VXLANs.

VXLAN tunnel

VTEP 1 VTEP 2

Server Server

Site 1 Site 2

VM

VSI/VXLAN 10

VSI/VXLAN 20

VSI/VXLAN 30

VM

VSI/VXLAN 10

VSI/VXLAN 20

VSI/VXLAN 30

Transport

network

P

10.1.1.11

20.1.1.11

30.1.1.11

10.1.1.12

20.1.1.12

30.1.1.12

VXLAN tunnel

VTEP 3/Centralized EVPN gateway

VSI/VXLAN 10

VSI/VXLAN 20

VSI/VXLAN 30

VSI-interface10

10.1.1.1/24

VSI-interface20

20.1.1.1/24

VSI-interface30

30.1.1.1/24

L3 network

8

Figure 8 Distributed EVPN gateway placement design

Symmetric IRB

A distributed EVPN gateway uses symmetric IRB for Layer 3 forwarding, which means both the

ingress and egress gateways perform Layer 2 and Layer 3 lookups. Symmetric IRB introduces the

following concepts:

•

L3 VXLAN ID—Also called L3 VNI. An L3 VXLAN ID identifies the traffic of a routing domain

where devices have Layer 3 reachability. An L3 VXLAN ID is associated with one VPN instance.

Distributed EVPN gateways use VPN instances to isolate traffic of different services on VXLAN

tunnel interfaces.

•

Router MAC address—Each distributed EVPN gateway has a unique router MAC address

used for inter-gateway forwarding. The MAC addresses in the inner Ethernet header of VXLAN

packets are router MAC addresses of distributed EVPN gateways.

VSI interfaces

As shown in Figure 9, each distributed EVPN gateway has the following types of VSI interfaces:

•

VSI interface as a gateway interface of a VXLAN—The VSI interface acts as the gateway

interface for VMs in a VXLAN. The VSI interface is associated with a VSI and a VPN instance.

On different distributed EVPN gateways, the VSI interface of a VXLAN uses the same IP

address to provide services.

•

VSI interface associated with an L3 VXLAN ID—The VSI interface is associated with a VPN

instance and assigned an L3 VXLAN ID. VSI interfaces associated with the same VPN instance

share an L3 VXLAN ID.

A border gateway only has VSI interfaces that are associated with an L3 VXLAN ID.

VXLAN tunnel

VTEP

Server

Site 1

L3 network

VXLAN tunnel VXLAN tunnel

Server

Site 2

Server

Site 3

Server

Site 4

Server

Site 5

Server

Site 6

VTEP/Distributed

EVPN gateway

Border gateway

VTEP/Distributed

EVPN gateway

VTEP/Distributed

EVPN gateway

9

Figure 9 Example of distributed EVPN gateway deployment

Layer 3 forwarding entry learning

A distributed EVPN gateway forwards Layer 3 traffic based on FIB entries generated from BGP

EVPN routes and ARP information.

A VTEP advertises an external route imported in the EVPN address family through MP-BGP. A

remote VTEP adds the route to the FIB table of a VPN instance based on the L3 VXLAN ID carried in

the route. In the FIB entry, the outgoing interface is the VXLAN tunnel interface where the route is

received, and the next hop is the peer VTEP address in the NEXT_HOP attribute of the route.

A VTEP has the following types of ARP information:

•

Local ARP information—ARP information of VMs in the local site. The VTEP snoops GARP

packets, RARP packets, and ARP requests for the gateway MAC address to learn the ARP

information of the senders and generates ARP entries and FIB entries. In an ARP or FIB entry,

the outgoing interface is the site-facing interface where the packet is received, and the VPN

instance is the instance associated with the corresponding VSI interface.

•

Remote ARP information—ARP information of VMs in remote sites. Each VTEP uses

MP-BGP to advertise its local ARP information with L3 VXLAN IDs in routes to remote sites. A

VTEP generates only FIB entries for the remote ARP information. A FIB entry contains the

following information:

 Outgoing interface: VSI interface associated with the L3 VXLAN ID.

 Next hop: Peer VTEP address in the NEXT_HOP attribute of the route.

 VPN instance: VPN instance associated with the L3 VXLAN ID.

The VTEP then creates an ARP entry for the next hop in the FIB entry.

Traffic forwarding

A distributed EVPN gateway can work in one of the following mode:

VXLAN tunnel

GW 1 GW 2

Server Server

Site 1 Site 2

VM 1

VM 2

VSI/VXLAN 10

VSI/VXLAN 20

VM 4

VM 5

VSI/VXLAN 10

VSI/VXLAN 20

P

10.1.1.11

20.1.1.11

10.1.1.12

20.1.1.12

VXLAN tunnel

Border

gateway

L3 network

VSI-interface10

10.1.1.1/24

VPN instance: vpna

VSI-interface20

20.1.1.1/24

VPN instance: vpna

VSI-interface1

VPN instance: vpna

L3VNI: 1000

VSI-interface1

VPN instance: vpna

L3VNI: 1000

10

•

Switching and routing mode—Forwards Layer 2 traffic based on the MAC address table and

forwards Layer 3 traffic based on the FIB table. In this mode, you need to enable ARP flood

suppression on the distributed EVPN gateway to reduce flooding.

•

Routing mode— Forwards both Layer 2 and Layer 3 traffic based on the FIB table. In this

mode, you need to enable local proxy ARP on the distributed EVPN gateway.

For more information about MAC address table-based Layer 2 forwarding, see "Unicast."

Figure 10 shows the intra-site Layer 3 forwarding process.

1. The source VM sends an ARP request to obtain the MAC address of the destination VM.

2. The gateway replies to the source VM with the MAC address of the VSI interface associated

with the source VM's VSI.

3. The source VM sends a Layer 3 packet to the gateway.

4. The gateway looks up the FIB table of the VPN instance associated with the source VM's VSI

and finds the matching outgoing site-facing interface.

5. The gateway processes the Ethernet header of the Layer 3 packet as follows:

 Replaces the destination MAC address with the destination VM's MAC address.

 Replaces the source MAC address with the VSI interface's MAC address.

6. The gateway forwards the Layer 3 packet to the destination VM.

Figure 10 Intra-site Layer 3 forwarding

Figure 11 shows the inter-site Layer 3 forwarding process.

7. The source VM sends an ARP request to obtain the MAC address of the destination VM.

8. The gateway replies to the source VM with the MAC address of the VSI interface associated

with the source VM's VSI.

9. The source VM sends a Layer 3 packet to the gateway.

10. The gateway looks up the FIB table of the VPN instance associated with the source VM's VSI

and finds the matching outgoing VSI interface.

11. The gateway processes the Ethernet header of the Layer 3 packet as follows:

 Replaces the destination MAC address with the destination gateway's router MAC address.

 Replaces the source MAC address with its own router MAC address.

12. The gateway adds VXLAN encapsulation to the Layer 3 packet and forwards the packet to the

destination gateway. The encapsulated VXLAN ID is the L3 VXLAN ID of the corresponding

VPN instance.

13. The destination gateway identifies the VPN instance of the packet based on the L3 VXLAN ID

and removes the VXLAN encapsulation. Then the gateway forwards the packet based on the

matching ARP entry.

GW 1

DATA

Server 1

VM 1

IP 1

MAC 1

Server 2

VM 2

IP 2

MAC 2

GW IP

GW MAC (VSI interface MAC)

SIP: IP 1

DIP: IP 2

SMAC: MAC 1

DMAC: GW MAC

DATA

SIP: IP 1

DIP: IP 2

SMAC: GW MAC

DMAC: MAC 2

11

Figure 11 Inter-site Layer 3 forwarding

Communication between private and public networks

A distributed EVPN gateway uses the public instance to perform Layer 3 forwarding for the public

network and to enable communication between private and public networks. The public instance is

similar to a VPN instance. A distributed EVPN gateway processes traffic of the public instance in the

same way it does for a VPN instance. For the public instance to work correctly, you must configure

an RD, an L3 VXLAN ID, and route targets for it. If a VSI interface is not associated with any VPN

instance, the VSI interface belongs to the public instance.

RD and route target selection of BGP EVPN

routes

As shown in Table 1, you can configure RDs and route targets for BGP EVPN routes in multiple

views.

Table 1 Supported views for RD and route target configuration

Item

Views

RD

• EVPN instance view of a VSI

• VPN instance view

• Public instance view

Route targets

• EVPN instance view of a VSI

• VPN instance view

• IPv4 VPN view of a VPN instance

• IPv6 VPN view of a VPN instance

• EVPN view of a VPN instance

• Public instance view

• IPv4 VPN view of the public instance

• IPv6 VPN view of the public instance

• EVPN view of the public instance

NOTE:

Route targets configured in VPN instance view apply to IPv4 VPN, IPv6 VPN, and

GW 1 P GW 2

DATA

Transport

network

Server 1

VM 1

IP 1

MAC 1

Server 2

VM 2

IP 2

MAC 2

GW IP

GW MAC (VSI interface MAC)

GW MAC 1 (Router MAC of GW 1)

VTEP IP 1

L3VNI 100

GW IP

GW MAC (VSI interface MAC)

GW MAC 2 (Router MAC of GW 2)

VTEP IP 2

L3VNI 100

SIP: IP 1

DIP: IP 2

SMAC: MAC 1

DMAC: GW MAC

DATA

SIP: IP 1

DIP: IP 2

SMAC: GW MAC 1

DMAC: GW MAC 2

VNI: 100

SIP: VTEP IP 1

DIP: VTEP IP 2

DATA

SIP: IP 1

DIP: IP 2

SMAC: GW MAC

DMAC: MAC 2

12

Item

Views

EVPN. Route targets configured in IPv4 VPN view apply only to IPv4 VPN. Route

targets configured in IPv6 VPN view apply only to IPv6 VPN. Route targets configured

in EVPN view o

f a VPN instance apply only to EVPN. Route targets configured in IPv4

VPN view, IPv6 VPN view, or EVPN view of a VPN instance take precedence over

those in VPN instance view. The precedence order for different views of a VPN

instance also applies to the views of the public instance.

The device selects RDs and route targets for BGP EVPN routes by using the following rules:

•

IMET routes and MAC/IP advertisement routes that contain only MAC addresses—The

device uses the RD and route targets configured in EVPN instance view when advertising and

accepting the routes.

•

MAC/IP advertisement routes that contain ARP or ND information—The device uses the

following settings when advertising the routes:

 RD and export route targets configured in EVPN instance view.

 Export route targets configured for EVPN on a VPN instance or the public instance (VPN

instance view, EVPN view of a VPN instance or the public instance, and public instance

view).

The device uses the import route targets configured for EVPN on a VPN instance or the public

instance when accepting the routes.

•

IP prefix advertisement routes—The device uses the route targets configured for IPv4 VPN

or IPv6 VPN on a VPN instance or the public instance when advertising and accepting the

routes.

EVPN multihoming

IMPORTANT:

T

his feature is available in R2612 and later.

This feature is not supported on the HPE FlexFabric 5930 switch series.

Overview

As shown in Figure 12, EVPN supports deploying multiple VTEPs at a site for redundancy and high

availability. On the redundant VTEPs, Ethernet links connected to the site form an Ethernet segment

(ES) that is uniquely identified by an Ethernet segment identifier (ESI).

Figure 12 EVPN multihoming

VTEP 1

VXLAN tunnel

VTEP 3

Server 1 Server 2

Site 1 Site 2

Transport

network

P

ES

VTEP 2

VXLAN tunnel

13

DF election

To prevent redundant VTEPs from sending duplicate flood traffic to a multihomed site, a designated

forwarder (DF) is elected from the VTEPs for each AC to forward flood traffic to the AC. VTEPs that

fail the election are assigned the backup designated forwarder (BDF) role. BDFs of an AC do not

forward flood traffic to the AC.

A remote VTEP takes part in the DF election of a multihomed site. Redundant VTEPs of the site send

Ethernet segment routes to the remote VTEP to advertise ES and VTEP IP mappings. Then, the

VTEPs select a DF for each AC based on the ES and VTEP IP mappings by using the following

procedure:

1. Arrange source IP addresses in Ethernet segment routes with the same ESI in ascending order

and assign a sequence number to each IP address, starting from 0.

2. Divide the lowest VLAN ID permitted on an AC by the number of the redundant VTEPs, and

match the reminder to the sequence numbers of IP addresses.

3. Assign the DF role to the VTEP that uses the IP address with the matching sequence number.

The following uses AC 1 in Figure 13 as an example to explain the DF election procedure:

4. VTEP 1 and VTEP 2 send Ethernet segment routes to VTEP 3.

5. Sequence numbers 0 and 1 are assigned to IP addresses 1.1.1.1 and 2.2.2.2 in the Ethernet

segment routes, respectively.

6. The VTEPs divide 4 (the lowest VLAN ID permitted by AC 1) by 2 (the number of redundant

VTEPs), and match the reminder 0 to the sequence numbers of the IP addresses.

7. The DF role is assigned to VTEP 1 at 1.1.1.1.

Figure 13 DF election

Split horizon

In a multihomed site, a VTEP forwards multicast, broadcast, and unknown unicast frames received

from ACs out of all site-facing interfaces and VXLAN tunnels in the corresponding VXLAN, except for

the incoming interface. As a result, the other VTEPs at the site receive these flood frames and

forward them to site-facing interfaces, which causes duplicate floods and loops. EVPN introduces

split horizon to resolve this issue. Split horizon disables a VTEP to forward flood traffic received from

another local VTEP to site-facing interfaces if an ES on that local VTEP has the same ESI as these

interfaces. As shown in Figure 14, both VTEP 1 and VTEP 2 have ES 1. When receiving flood traffic

from VTEP 1, VTEP 2 does not forward the traffic to interfaces with ESI 1.

VTEP 1

DF of AC 1

VTEP 3

Server 1 Server 2

Site 1 Site 2

Transport

network

P

ES

VTEP 2

DF of AC 2

VLAN 4

VLAN 7

Flood traffic of

VLANs 4 and 7

Loop0

1.1.1.1/32

Loop0

2.2.2.2/32

AC 2 permits VLAN 7

AC 1 permits VLAN 4

VLANs 4 and 7

14

Figure 14 Split horizon

Redundancy mode

The device supports the all-active redundancy mode of EVPN multihoming. This mode allows all

redundant VTEPs at a multihomed site to forward broadcast, multicast, and unknown unicast traffic.

•

For flood frames received from remotes sites, a VTEP forwards them to the ACs of which it is

the DF.

•

For flood frames received from the local site, a VTEP forwards them out of all site-facing

interfaces and VXLAN tunnels in the corresponding VXLAN, except for the incoming interfaces.

For flood frames to be sent out of a VXLAN tunnel interface, a VTEP replicates each flood frame

and sends one replica to all the other VTEPs in the corresponding VXLAN.

IP aliasing

In all-active redundancy mode, all redundant VTEPs of an ES advertise the ES to remote VTEPs

through MP-BGP. IP aliasing allows a remote VTEP to add the IP addresses of all the redundant

VTEPs as the next hops for the MAC or ARP information received from one of these VTEPs. This

mechanism creates ECMP routes between the remote VTEP and the redundant VTEPs.

EVPN multicast

IMPORTANT:

T

his feature is available in R2612 and later.

This feature is not supported on the HPE FlexFabric 5930 switch series.

VXLAN tunnel

VTEP 1

VTEP 3

Server 1 Server 2

Site 1 Site 2

Transport

network

P

ES1

VTEP 2

VXLAN tunnel

Server 3

Site 3

Server 4

Site 4

Flood traffic of ES 1

Flood traffic of ES 2

ES2

15

EVPN supports multicast forwarding. In an EVPN network, VTEPs create and maintain multicast

forwarding entries based on received IGMP membership reports and leave group messages to

reduce IGMP floods.

Multicast in single-homed sites

As shown in Figure 15, VTEPs at single-homed sites create multicast forwarding entries by using the

following procedure:

1. VTEP 1 receives the IGMP membership report sent by Server 1.

2. VTEP 1 creates a multicast forwarding entry and advertises information about the multicast

group to VTEP 2 and VTEP 3 through an SMET route.

3. VTEP 2 and VTEP 3 create multicast forwarding entries based on the SMET route. The next

hop in the entries is VTEP 1.

Figure 15 Multicast in single-homed sites

Multicast in multihomed sites

The IGMP membership reports and leave group messages sent from a multihomed site are received

by multiple VTEPs. To ensure consistency of multicast forwarding entries, redundant VTEPs

advertise IGMP join synch and leave synch routes to synchronize multicast information for each ES.

As shown in Figure 16, if the DF receives the first membership report for an IGMP multicast group,

the following route advertisement and withdrawal process takes place:

1. VTEP 1 (DF) receives an IGMP membership report.

2. VTEP 1 sends an SMET route to VTEP 2 and VTEP 3, and sends an IGMP join synch route to

VTEP 2.

3. An IGMP leave group message is sent from Site 1, and one of the following processes occurs:

 If VTEP 1 (DF) receives the message, it sends an IGMP leave synch route to VTEP 2 and

withdraws the SMET route and IGMP join synch route that it has advertised.

 If VTEP 2 (BDF) receives the message, it sends an IGMP leave synch route to VTEP 1.

Then VTEP 1 withdraws the SMET route and IGMP join synch route that it has advertised.

As shown in Figure 16, if the BDF receives the first membership report for an IGMP multicast group,

the following route advertisement and withdrawal process takes place:

4. VTEP 2 (BDF) receives an IGMP membership report.

VXLAN tunnel

VTEP 1

VTEP 3

Server 1

Server 3

Site 1

Site 3

Transport

network

P

VTEP 2

VXLAN tunnel

Server 2

Site 2

IGMP membership reports

SMET routes

Aruba EVPN Configuration Guide

Related papers

Other documents