Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

APPENDIX: WAN Router Integration into the Fabric

In general, there are several possible ways to attach a WAN router to a campus fabric.

  • Via a Layer 2 forwarding method:
    • The fabric uplinks are configured as ESI-LAGs and contain one or more tagged VLANs (one for each VRF) to communicate with the WAN router.
    • It is also necessary that you configure the IP address of the WAN router interface manually as the next-hop IP address for default-forwarding on each fabric VRF as already shown above.
    • The WAN router itself needs to understand standard IEEE 802.3ad LAG with active LACP.
    • If you have more than one WAN router attached for redundancy, it is advised to provide failover mechanisms between them for the interface IP addresses towards the fabric. VRRP is recommended.
    • Routes between fabric and WAN router are only statically configured.
  • Via a Layer 3 forwarding method:
    • The fabric uplinks are configured as Layer 3 peer-to-peer IP links.
    • Per fabric VRF, a peer-to-peer link needs to be established with the WAN router.
    • Usually, there are multiple peer-to-peer links on a single physical uplink. Those are further segmented via tagged VLANs to provide isolation on the uplinks.
    • There is no need to manually configure next-hops for each VRF inside the fabric as it is assumed that the propagation of the default gateways will be obtained from the WAN router through a routing protocol.
    • Between the fabric and the WAN router, a routing protocol must be established to exchange routes.
    • The campus fabric supports exterior BGP and OSPF as routing protocols towards the WAN router.
Note:

The details of such integration are explained in a JVD extension for all fabric types.

For simplicity, in this JVD we have chosen to utilize the Layer 2 exit through the ESI-LAG as the stretched VLAN, which is not intended to be used in production.

Remember that you chose to deploy the border gateway capability on the Juniper Networks® EX9204 Switches during the Campus Fabric Core-Distribution deployment, represented below:

Figure 1: WAN-Router Integration Via ESI-LAG WAN-Router Integration Via ESI-LAG

Mist enables the EX9204 to translate between VXLAN traffic within the campus fabric and standard Ethernet switching for external connectivity—in this case an MX router. Let’s verify the ESI status on the core switches.

Figure 2: LAG with LACP Not Up LAG with LACP Not Up

We must configure the attachment of the WAN router to complete the entire design. Without the WAN router configuration, the fabric only allows the following communications:

  • The same VLAN/VNI on the same access switch but different ports.
  • The same VLAN/VNI on different access switches.
  • Different VLAN/VNI attached to the same VRF on the same access switch, but different ports.
  • Different VLAN/VNI attached to the same VRF on different access switches.

All traffic between VRFs is always isolated inside the fabric. For security reasons, there is no possible configuration to perform route leaking between VRFs. This means that traffic between them is handled directly inside the fabric without the need to traverse through the WAN router as a possible enforcement point.

We must configure the ESI-LAG and Mist does not configure this automatically. Add a Port profile on core switches interfaces facing the WAN router.

The following represents an existing Port Profile applied to each MX-Router facing EX9204 Switch port (on Core2, the switch port is xe-1/0/1).

Figure 3: Port Config with ESI-LAG Port Config with ESI-LAG
  1. Save the configuration and then verify the changes on the core switch.
Figure 4: check ESI-LAG Configuration and EVPN DB check ESI-LAG Configuration and EVPN DB

Note that LACP is up, and this infers that there is an existing configuration on the MX router.

Figure 5: LACP Link to WAN-Router Up LACP Link to WAN-Router Up

Then, confirm the EVPN database now has the ESI entry. The MX router IP address for each VLAN ending in .254 is also present in the EVPN database. Back on Desktop1, verify that it can cross the fabric.

Figure 6: Ping Internet from Client1 Ping Internet from Client1

The last step is to verify that Desktop1 can ping Desktop2.

Figure 7: Verify VRF to VRF Traffic Text Description automatically generated
Figure 8: Topology Repeat A diagram of a network Description automatically generated

Conclusion: The connectivity within the campus fabric and externally have been verified. Desktops can communicate with each other through the campus fabric, each in an isolated VRF, then forwarded to the MX router through the dual-homing ESI-LAG on both Core1 and 2 for routing between VRFs or routing instances. Internet connectivity was also verified from each desktop.