Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

How to Configure an IP Clos Fabric for a Campus Network

 

Requirements

This configuration example uses the following devices:

  • Two EX9200 or QFX10000 switches as core devices, Software version: Junos OS Release 20.2R3

  • Two EX4650 or QFX5120 switches as distribution devices, Software version: Junos OS Release 20.2R3

  • Two EX4300-MP switches as the access layer, Software version: Junos OS Release 20.2R3 or Two EX4400 switches, Software version: Junos OS Release 21.1R1.

  • One SRX650 security device

  • One WAN router

  • Juniper Access Points

Overview

Use this network configuration example to deploy a single campus fabric with a Layer 3 IP-based underlay network that uses EVPN as the control plane protocol and VXLAN as the data plane protocol in the overlay network.

We will first configure EBGP as the underlay routing protocol to exchange loopback routes. Then, we will configure IBGP between the core and distribution devices in the overlay to share reachability information about endpoints in the fabric.

Topology

In this example, we configure each device with a /32 loopback address. Figure 1 shows the physical topology with an SRX series device, WAN router, access layer devices (EX-4300-MP), and it shows the IP addressing scheme that is used in this example. The SRX series router enforces policy rules for transit traffic by controlling traffic flow. It allows traffic that can pass through and denies the traffic that is not permitted based on the security policy that is created.

Figure 1: EVPN-VXLAN Fabric
EVPN-VXLAN Fabric

Configure the Underlay IP Fabric

Overview

This section shows how to configure the IP fabric underlay on the core, distribution, and access layer switches using EBGP and how to configure the policy rules on the SRX server.

Interface and Underlay Configuration

Use this section to configure the underlay on the core and distribution layer switches.

Core 1 Configuration

Step-by-Step Procedure

  1. Configure the interfaces connected to the core devices.
  2. Configure the loopback interface and router ID and enable per-packet load balancing
  3. Configure the BGP underlay network.

Core 2 Configuration

Step-by-Step Procedure

  1. Configure the interfaces connected to the core devices.
  2. Configure the loopback interface and router ID and enable per-packet load balancing.
  3. Configure the BGP underlay network.

Distribution 1 Configuration

Step-by-Step Procedure

  1. Configure the interconnect interfaces between the two core devices and the connectivity to the distribution switches.
  2. Configure the loopback interface and router ID.
  3. Enable per-packet load balancing.
  4. Configure the BGP underlay network.

Distribution 2 Configuration

Step-by-Step Procedure

  1. Configure the interconnect interfaces between the two core devices and the connectivity to distribution switches.
  2. Configure the loopback interface and router ID.
  3. Enable per-packet load balancing.
  4. Configure the BGP underlay network.

Access switch 1 Configuration

Step-by-Step Procedure

  1. Specify the interfaces that connect to the distribution switches.
  2. (Optional) Configure a Virtual Chassis with non-stop routing and bridging for high availability.
  3. Configure the underlay BGP.

Access Switch 2 Configuration

Step-by-Step Procedure

  1. Specify the interfaces to connect to distribution switches.
  2. (Optional) Configure a Virtual Chassis with non-stop routing and bridging for high availability.
  3. Configure the underlay BGP.
Note

If you have additional access layer switches in your network, repeat this configuration procedure for each access switch.

SRX Configuration

Use this section to configure policy rules that applies to the traffic passing through the firewall. We will also configure the SRX device to translate IP addresses for the Mist connected devices that are sending traffic to the public cloud.

Step-by-Step Procedure

  1. Configure security settings on the SRX device.

Configure the Overlay

Overview

This section shows how to configure the overlay, including configuring IBGP peerings, the VLAN to VXLAN mappings, and the IRB interface configurations for the virtual networks on the access switches.

Topology

In this example, we have three virtual networks: 1, 2, and 3. The IRB interfaces for these virtual networks are on the access switches. We placed all IRB interfaces in the same routing instance. You can place the IRB interfaces in different routing instances for network segmentation if it is needed in your deployment.

Figure 2 shows the overlay virtual network with VLANs.

Figure 2: Overlay Virtual Network Topology
Overlay Virtual Network Topology

Overlay and Virtual Network Configuration

Use this section to configure the overlay on the core and distribution layer switches.

Core 1 Configuration

Step-by-Step Procedure

  1. Set the AS number and configure IBGP neighbors between core and distribution devices. You do not need to configure IBGP neighbors between Core 1 and Core 2 because they receive all BGP updates from Distribution 1 and Distribution 2.

    Configure the core devices as route reflectors to eliminate the need for a full IBGP mesh between all distribution layer switches. This makes the configuration on the distribution layer devices simple and consistent.

Core 2 Configuration

Step-by-Step Procedure

  1. Set the AS number and configure IBGP neighbors between core and distribution devices. Configure the core devices as route reflectors to eliminate the need for full mesh IBGP configuration between all distribution and access layer devices.

Distribution 1 Configuration

Step-by-Step Procedure

  1. Configure IBGP neighbors from the distribution switch to the core switches.

Distribution 2 Configuration

Step-by-Step Procedure

  1. Configure IBGP neighbors from the distribution switch to the core switches.

Access 1 Configuration

Step-by-Step Procedure

  1. Configure the overlay BGP.
  2. Configure EVPN-VXLAN.
  3. Configure the VLAN/VXLAN mapping and IRB interfaces. VLAN_1 is used to send management traffic from Mist APs to the Internet. Configure VLAN_2 and VLAN_3 to connect wired and wireless client devices
  4. Configure the VRF instance.
  5. Configure the ports for the Mist Access Points as trunk ports. This allows you to use multiple SSID and VLANs on the port. VLAN_1 is used to send management traffic from Mist APs to the Internet. Configure VLAN_2 and VLAN_3 to connect wired and wireless client devices.
  6. Configure 802.1x authentication for the wired clients.

Access 2 Configuration

Step-by-Step Procedure

  1. Configure the overlay BGP
  2. Configure EVPN-VXLAN.
  3. Configure the VLAN/VXLAN mapping and IRB.
  4. Configure the VRF instance.
  5. Configure the ports for the Mist Access Points as trunk ports. This allows you to support multiple SSID and VLANs on the port. VLAN_1 is used to send management traffic from Mist APs to the Internet. Configure VLAN_2 and VLAN_3 to connect wired and wireless client devices.
  6. Configure 802.1x authentication for the wired clients.
Note

If you have additional access layer switches in your network, repeat this configuration procedure for each access switch.

Verification

Overview

Log in to each device and verify that the EVPN-VXLAN fabric has been configured.

Verification

Distribution 1: Verifying BGP Sessions

Purpose

Verify the state of the BGP sessions with the core and access devices.

Action

Verify that BGP sessions are established with the core devices and access devices. The IP addresses for the core devices are 172.16.5.1 and 172.16.6.1 and the IP addresses for the access devices are 172.16.1.1 and 172.16.2.1

user@distribution-1> show bgp summary

Meaning

BGP is up on both the distribution and core devices. The IBGP sessions are established with the loopback interfaces of the core and access devices using MP-IBGP with EVPN signaling to form the overlay that exchanges EVPN routes.

Distribution 2: Verifying BGP Sessions

Purpose

Verify the state of the BGP sessions with the core and access devices.

Action

Verify that BGP sessions are established with the core devices and access devices. The IP addresses for the core devices are 172.16.5.1 and 172.16.6.1 and the IP addresses for the access devices are 172.16.1.1 and 172.16.2.1.

user@distribution-2> show bgp summary

Meaning

BGP is up on both the distribution and core devices. The IBGP sessions are established with the loopback interfaces of the core and access devices using MP-IBGP with EVPN signaling to form the overlay layer and exchange EVPN routes.

Access 1: Verifying EVPN Database Information

Purpose

Verify that the EVPN database is correctly populated.

Action

Verify that the EVPN database is installing MAC address information for locally attached hosts and receiving advertisements from the other leaf devices with information about remote hosts.

user@access-1> show evpn database

Access 1: Verifying Local Switching Table Information

Purpose

Verify that the local switching table is correctly populated. For this example, we are interested in the devices and routes for VLAN_2.

Action

Verify that the local switching table is installing MAC address information for locally attached hosts and receiving advertisements from the other leaf devices with information about remote hosts.

user@access-1> show ethernet-switching table vlan-name EP-VLAN-1
user@access-1> show ethernet-switching table vlan-name EP-VLAN-2

Meaning

The output above confirms that the local switching table is correctly learning and installing MAC addresses for all endpoints. It shows the relationship between MAC addresses, the VLANs that they are associated with (VLANs 1, 2, and 3), and their next-hop interface.

Access 2: Verifying EVPN Database Information

Purpose

Verify that the EVPN database is correctly populated.

Action

Verify that the EVPN database is installing MAC address information for locally attached hosts and receiving advertisements from the other leaf devices with information about remote hosts.

user@access-2> show evpn database

Access 2: Verifying Local Switching Table Information

Purpose

Verify that the local switching table has been populated correctly.

Action

Verify that the local switching table is installing MAC address information for locally attached hosts and receiving advertisements from the other leaf devices with information about remote hosts.

user@access-2> show ethernet-switching table vlan-name EP-VLAN-2

Meaning

The output above confirms that the local switching table is correctly learning and installing MAC addresses for all endpoints associated with VLAN_2. It shows the relationship between MAC addresses, VLANs that they are associated with , and their next-hop interface.