EVPN Networking Support
SUMMARY Juniper Cloud-Native Contrail Networking release R22.4 supports EVPN/VXLAN forwarding using Type2 prefixes with Virtual Networks utilizing forwarding mode L2 and L2_L3. With EVPN for Layer 2 connectivity and VXLAN for data encapsulation, CN2 enables you to establish connectivity between a CN2 virtual network and an EVPN-VXLAN-signalled service.
EVPN Overview
EVPN is an extension to Border Gateway Protocol (BGP) that allows the network to carry endpoint reachability information such as Layer 2 MAC addresses and Layer 3 IP addresses. This control plane technology uses Multiprotocol BP (MP-BGP) for MAC and IP address endpoint distribution, where MAC addresses are treated as routes.EVPN also provides multipath forwarding and redundancy through an all-active multihoming model. An endpoint or device connects to two or more upstream devices and forwards traffic using all the links. If a link or device fails, traffic continues to flow using the remaining active links.
With EVPN, MAC learning is handled in the control plane. This avoids the data plane flooding of unknown IPs typical with Layer 2 networks. EVPN also supports different data-plane encapsulation technologies between EVPN-VXLAN-enabled switches. In EVPN-VXLAN architecture, VXLAN provides the overlay data-plane encapsulation.
VXLAN Overview
VXLAN is an overlay tunneling protocol. The VXLAN tunneling protocol encapsulates MAC frames into UDP headers at Layer 2. This means that VXLAN encapsulates Ethernet frames into UDP packets with the physical network headers (IP header, Ethernet header) as outer headers. As a result, VXLAN enables devices to route UDP packets across networks, independent of the physical underlay.
The entity that performs the encapsulation and de-encapsulation is called a VXLAN tunnel endpoint (VTEP). After CN2 establishes a VXLAN segment, a VTEP encapsulates VM or pod traffic into a VXLAN header and sends that traffic to another VTEP. The receiving VTEP removes or strips off the encapsulation and forwards the data. VMs or pods must belong to the same VXLAN segment to communicate using VXLAN.
EVPN-VXLAN Overview
In Juniper networks, EVPN performs control plane functionality and VXLAN performs data plane functionality. EVPN handles MAC address learning in the control plane. VXLAN defines a tunneling scheme to overlay Layer 2 networks on top of Layer 3 networks. This tunneling scheme allows for optimal forwarding of Ethernet frames with support for an all-active multipathing of unicast and multicast traffic with the use of UDP/IP encapsulation for tunneling.
Configuring VXLAN Encapsulation Priority
The default encapsulation protocol for EVPN is MPLS over UDP. In order to enable EVPN-VXLAN
for your cluster, you must change the encapsulation priority order in the
GlobalVrouterConfig
of your cluster. Set VXLAN as the top encapsulation
priority in the encapsulation
section of
encapsulationPriorities
in the
default-global-vrouter-config
object of
GlobalVrouterConfig
.
The following example GlobalVrouterConfig
shows VXLAN as the top
encapsulation priority.
apiVersion: core.contrail.juniper.net/v1 kind: GlobalVrouterConfig metadata: creationTimestamp: "2022-08-23T10:45:52Z" generation: 6 labels: core.juniper.net/parent: 9b83eddfaaa5778ad6b99cb81c803529cf911d492b9e7ec6d63d029d name: default-global-vrouter-config resourceVersion: "35583" uid: b2b57f5c-8dd0-4cd1-848f-0ec23f2819df spec: encapsulationPriorities: encapsulation: - VXLAN - MPLSoGRE - MPLSoUDP fqName: - default-global-system-config - default-global-vrouter-config linklocalServices: linklocalServiceEntry: - ipFabricServiceIP: - 10.87.76.29 - 10.87.76.31 - 10.87.76.32 ipFabricServicePort: 6443 linklocalServiceIP: 10.200.0.1 linklocalServiceName: kubernetes linklocalServicePort: 443 parent: apiVersion: core.contrail.juniper.net/v1 kind: GlobalSystemConfig name: default-global-system-config uid: 2f9ff5cf-4d40-4e8f-b7d3-2e403624c572 portTranslationPools: pools: - portRange: endPort: 57023 startPort: 56000 protocol: tcp - portRange: endPort: 58047 startPort: 57024 protocol: udp status: observation: "" state: Success
Manually Set a VXLAN VNI for Virtual Networks
A VXLAN network identifier (VNI) uniquely identifies the VXLAN segment. VNIs enable CN2 to use the same MAC frames across multiple VXLAN segments without traffic crossover. This means that CN2 can establish multiple VXLAN segments between the same VMs or pods with traffic isolation. VMs or pods on the same VNI communicate with each other and VMs or pods on separate VNIs need a router to communicate. VLAN tunnel endpoints (VTEPs) perform data encapsulation and reference VNI and MAC address information when looking up the forwarding table of another VM or pod. Once the VTEP determines a forwarding table, one VTEP endpoint sends a UDP packet to another endpoint over a network.
CN2 assigns a unique VNI to a virtual network (VN) upon VN creation. In CN2 release 22.4, you can manually set a VNI for your virtual networks. You can also define a VNI using a Network Attachment Definition (NAD).
The following YAML example shows a user-defined VNI in a VN.
apiVersion: core.contrail.juniper.net/v1 kind: VirtualNetwork metadata: namespace: evpnl2test name: vn1 spec: v4SubnetReference: apiVersion: core.contrail.juniper.net/v1 kind: Subnet namespace: evpnl2test name: sn1 virtualNetworkProperties: forwardingMode: l2 virtualNetworkNetworkId: 5000
The following YAML example shows a user-defined VNI in a NAD.
apiVersion: "k8s.cni.cncf.io/v1" kind: NetworkAttachmentDefinition metadata: name: evpnl2 namespace: evpnl2test annotations: juniper.net/networks: '{ "ipamV4Subnet": "172.26.10.0/24", "virtualNetworkNetworkID": 5000 }' spec: config: '{ "cniVersion": "0.3.1", "name": "evpnl2", "type": "contrail-k8s-cni" }'