Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

How to Configure an EVPN-VXLAN Fabric for a Campus Network With CRB

Requirements

This configuration example uses the following devices:

  • Two EX9251 switches as core devices. Software version: Junos OS Release 18.4R2-S4.5 .

  • Two EX4600 switches as distribution devices. Software version: Junos OS Release 18.4R2-S4.5.

  • One EX4300 switch as the access layer. In your configuration, this can be a Juniper Networks switch or a third-party switch.

  • One SRX650 security device.

  • One WAN router.

  • Mist Access Points

Overview

Use this NCE to deploy a single campus fabric with a Layer 3 IP-based underlay network that uses EVPN as the control plane protocol and VXLAN as the data plane protocol in the overlay network. In this example, you deploy an centrally-routed bridging (CRB) architecture. See EVPN-VXLAN Campus Architectures for details on supported EVPN-VXLAN campus architectures.

First, you configure OSPF as the underlay routing protocol to exchange loopback routes. You then configure IBGP between the core and distribution devices in the overlay to share reachability information about endpoints in the fabric.

Topology

In this example, each device is configured with a /32 loopback address. Figure 1 shows the physical topology with an SRX Series device, WAN router, access layer devices (EX4300 and EX4300-VC), and the IP addressing scheme used in this example. The SRX Series device is used to enforce policy rules for transit traffic by identifying and allowing the traffic that can pass through and denying the traffic that is not permitted.

Figure 1: EVPN-VXLAN FabricEVPN-VXLAN Fabric

Configure the Underlay IP Fabric

Requirements

Overview

This section shows how to configure the IP fabric underlay on the core and distribution layer switches using OSPF.

Interface and Underlay Configuration

Use this section to configure the underlay on the core and distribution layer switches.

Core 1 Configuration

Step-by-Step Procedure
  1. Configure the interconnect interfaces between the two core devices and the connectivity to the distribution switches.

  2. Configure the loopback interface and router ID.

  3. Enable per-packet load balancing.

  4. Configure the OSPF underlay network.

Core 2 Configuration

Step-by-Step Procedure
  1. Configure the interconnect interfaces between the two core devices and the connectivity to distribution switches.

  2. Configure the loopback interface and router ID.

  3. Enable per-packet load balancing.

  4. Configure the OSPF underlay network.

Distribution 1 Configuration

Step-by-Step Procedure
  1. Configure the interfaces connected to the core devices.

  2. Configure the loopback interface and router ID and enable per-packet load balancing.

  3. Configure the OSPF underlay network.

Distribution 2 Configuration

Step-by-Step Procedure
  1. Configure the interfaces connected to the core devices.

  2. Configure the loopback interface and router ID and enable per-packet load balancing.

  3. Configure the OSPF underlay network.

Configure the Overlay

Requirements

Overview

This section shows how to configure the overlay. It includes IBGP peerings, the VLAN to VXLAN mappings, and the IRB interface configurations for the virtual networks.

Topology

In this example, there are three virtual networks: 1, 2, and 3. The IRB interfaces for these virtual networks are defined on both of the core switches in keeping with a CRB architecture. All IRB interfaces are placed in the same routing instance on the core switches. Place IRB interfaces in different routing instances for network segmentation if needed in your deployment.

Figure 2 shows the overlay virtual network topology.

Figure 2: Overlay Virtual Network TopologyOverlay Virtual Network Topology

Overlay and Virtual Network Configuration

Use this section to configure the overlay and virtual networks on the core and distribution layer switches.

Core 1 Configuration

Step-by-Step Procedure
  1. Set the AS number and configure IBGP neighbors between core and distribution devices.

    You do not need to configure IBGP neighbors between Core 1 and Core 2 because they receive all BGP updates from Distribution 1 and Distribution 2.

    Configure the core devices as route reflectors to eliminate the need for a full IBGP mesh between all distribution layer switches. This also makes the configuration on the distribution layer devices simple and consistent.

  2. Configure Layer 3 IRB interfaces for the virtual networks. IRB interface 1 sends management traffic from Mist APs to the Internet. IRB interface 2 and 3 connect wired and wireless client devices.

  3. Configure overlay virtual networks under a virtual switch instance.

  4. Configure VRF routing instances for the virtual networks.

  5. Configure the interfaces that we will add to the VRF routing instances.

    1. Configure a virtual switch instance for the overlay networks.

    2. Configure the interfaces for the evpn_type5_vrf__3001 routing instance.

    3. Configure the interfaces for the evpn_type5_vrf__3002 routing instance.

  6. Configure EVPN Type 5 for the evpn_type5_vrf__3001 and evpn_type5_vrf__3002 routing instances.

Core 2 Configuration

Step-by-Step Procedure

  1. Set the AS number and configure IBGP neighbors between core and distribution devices. Configure the core devices as route reflectors to eliminate the need for full mesh IBGP configuration between all distribution layer devices.

  2. Configure Layer 3 IRB interfaces for the virtual networks. IRB interface 1 sends management traffic from Mist APs to the Internet. IRB interface 2 and 3 connect wired and wireless client devices.

  3. Configure overlay virtual networks under a virtual switch instance.

  4. Configure VRF routing instances for the virtual networks.

  5. Configure the interfaces that we will add to the VRF routing instances.

    1. Configure a virtual switch instance for the overlay networks.

    2. Configure the interfaces for the evpn_type5_vrf__3001 routing instance.

    3. Configure the interfaces for the evpn_type5_vrf__3002 routing instance.

  6. Configure EVPN Type 5 for the evpn_type5_vrf__3001 and evpn_type5_vrf__3002 routing instances.

SRX Configuration

Step-by-Step Procedure

  1. Configure redundant Ethernet (reth) interfaces on the SRX650.

  2. Inter-VRF routing between EVPN Type 5 VRF instances takes place on the SRX650. EBGP is enabled between the VRF instances and the SRX650. Add a static route on the SRX650 to facilitate learning on both sets of routes and improve communication between the EVPN Type 5 VRF instances.

  3. Configure the chassis cluster.

Distribution 1 Configuration

Step-by-Step Procedure
  1. Configure IBGP neighbors from the distribution switch to the core switches.

  2. Configure switch options on the distribution switch.

  3. Enable VXLAN encapsulation.

  4. Configure VLANs and VXLAN mappings.

Distribution 2 Configuration

Step-by-Step Procedure
  1. Configure IBGP neighbors from the distribution switch to the core switches.

  2. Configure switch options on the distribution switch.

  3. Enable VXLAN encapsulation.

  4. Configure VLANs and VXLAN mappings.

Configure Multihoming Between Access Layer Switch and Distribution Layer Devices

Requirements

Overview

This section shows how to configure multihome uplink interfaces from an access layer switch to distribution layer devices. Use this example to multihome access layer uplink interfaces in the same aggregated Ethernet interface to multiple distribution layer devices.

Topology

The access layer supports Layer 2 for VLANs. The uplink from the access layer is an aggregated Ethernet link bundle or LAG configured as a trunk port that carries the VLANs from the access layer switch to the distribution layer switches.

Figure 3 shows the physical topology..

Figure 3: Multihoming TopologyMultihoming Topology

Configuration

Use this example to configure the distribution layer for EVPN multihoming and the access layer switch.

Distribution 1 Configuration

Step-by-Step Procedure
  1. Specify which members to include in the aggregated Ethernet bundle.

  2. Configure the aggregated Ethernet interface. This includes the Ethernet segment identifier (ESI), which assigns multihomed interfaces into an Ethernet segment and must match on all multihomed interfaces.

Distribution 2 Configuration

Step-by-Step Procedure
  1. Specify which members to include in the aggregated Ethernet bundle.

  2. Configure the aggregated Ethernet interface, including the ESI.

Access Switch Configuration

Step-by-Step Procedure
  1. Specify which members to include in the aggregated Ethernet bundle.

  2. Configure the aggregated Ethernet interface.

  3. Configure the VLANs. VLAN_1 sends management traffic from Mist APs to the Internet. Configure VLAN_2 and VLAN_3 connect wired and wireless client devices.

  4. Configure the Access Ports as trunk ports to connect Mist Access Points. For example, you can configure an SSID for employees and an SSID for guests and map them to VLAN2 and VLAN3 respectively.

    You have now multihomed the uplink interfaces from the access layer switch to the distribution layer devices.

    If you have multiple access layer switches in your network, repeat this configuration procedure for each switch.

Verification

Log in to each device and verify that the EVPN-VXLAN fabric has been configured.

Distribution 1: Verifying BGP Sessions

Purpose

Verify the state of the BGP sessions with the core devices.

Action

Verify the Distribution 1 IBGP sessions are established with the loopbacks of the core devices, which have IP addresses 192.168.0.1 and 192.168.0.2.

Meaning

The IBGP sessions are established with the loopback interfaces of the core devices using MP-IBGP with EVPN signaling to form the overlay layer and exchange EVPN routes.

Distribution 1: Verifying EVPN Database Information

Purpose

Verify that the EVPN database has been populated correctly.

Action

Verify that the EVPN database is installing MAC address information for locally attached hosts and receiving advertisements from the other leaf devices with information about remote hosts.

Meaning

The output above confirms that the EVPN database is properly learning and installing MAC routes for all endpoints. It also shows the relationship between MAC addresses and their associated VNIs: 5001, 5002, and 5003.

The EVPN database learns MAC addresses with source 00:00:22:22:33:33:44:44:00:01 from the access layer, which is multihomed to the distribution layer. This learning behavior is evidenced by the presence of the ESI—previously configured as 00:00:22:22:33:33:44:44:00:01—as the Active Source for these entries. A matching Active Source output can also be seen on the Distribution 2 switch outputs shown later in this network configuration example.

Distribution 1: Verifying Local Switching Table Information

Purpose

Verify that the local switching table has been populated correctly.

Action

Verify that the local switching table is installing MAC address information for locally attached hosts and receiving advertisements from the other leaf devices with information about remote hosts.

Meaning

The output above confirms that the local switching table is correctly learning and installing MAC addresses for all endpoints. It also shows the relationship between MAC addresses, VLANs they are associated to (in this case, VLANs 1, 2, and 3), and their next-hop interface.

Distribution 1: Verifying Multihomed Ethernet Segment

Purpose

Check the multihome connection from Access Switch 1 to the distribution devices.

Action

Verify the local interfaces that are part of the Ethernet segment, other distribution devices that are part of the same Ethernet segment, the bridge domains that are part of the Ethernet segment, and the designated forwarder for the Ethernet segment.

Meaning

Interface ae3.0 is part of this Ethernet segment. The virtual networks 1, 2, and 3 are part of this Ethernet segment. The remote PE or distribution device participating in this Ethernet segment is 192.168.1.2. In this multihomed Ethernet segment, the local distribution device Distribution 1 is the designated forwarder for broadcast, unknown unicast, and multicast (BUM) traffic. This means only Distribution 1 will forward BUM traffic into this Ethernet segment.

Distribution 2: Verifying BGP Sessions

Purpose

Verify the state of the BGP sessions with the core devices.

Action

Verify that BGP sessions are established with the core devices. The IP addresses of the core devices are 192.168.0.1 and 192.168.0.2.

Meaning

The IBGP sessions are established with the loopbacks of the core devices using MP-IBGP with EVPN signaling to form the overlay layer and enable the exchange of EVPN routes.

Distribution 2: Verifying EVPN Database Information

Purpose

Verify that the EVPN database has been populated correctly.

Action

Verify that the EVPN database is installing MAC address information for locally attached hosts and receiving advertisements from the other leaf devices with information about remote hosts.

Meaning

The output above confirms that the EVPN database is properly learning and installing MAC routes for all endpoints. It also shows the relationship between MAC addresses and their associated VNIs: 5001, 5002, and 5003.

The EVPN database learns the MAC addresses with source 00:00:22:22:33:33:44:44:00:01 in the output from the access layer, which is multihomed to the distribution layer. This learning behavior is evidenced by the presence of the ESI—previously configured as 00:00:22:22:33:33:44:44:00:01—as the Active Source for these entries.

Distribution 2: Verifying Local Switching Table Information

Purpose

Verify that the local switching table has been populated correctly.

Action

Verify that the local switching table is installing MAC address information for locally attached hosts and receiving advertisements from the other leaf devices with information about remote hosts.

Meaning

The output above confirms that the local switching table is correctly learning and installing MAC addresses for all endpoints. It also shows the relationship between the MAC addresses, their associated VLANs (VLANs 1, 2, and 3), and their next-hop interfaces.

Distribution 2: Verifying Multihomed Ethernet Segment

Purpose

Check the multihome connection from Access Switch 1 to the distribution devices. In this example, ESI 00:00:22:22:33:33:44:44:00:01 provides this multihoming for Access Switch 1.

Action

Verify the local interfaces that are part of the Ethernet segment, other distribution devices that are part of the same Ethernet segment, the bridge domains that are part of the Ethernet segment, and the designated forwarder for the Ethernet segment.

Meaning

Interface ae3.0 is part of this Ethernet segment. The virtual networks 1, 2, and 3 are part of this Ethernet segment. The remote PE, or distribution device, participating in this Ethernet segment is 192.168.1.2. In this multihomed Ethernet segment, the remote distribution device Distribution 1 is the designated forwarder for BUM traffic. This means only Distribution 1 will forward BUM traffic into this Ethernet segment.

Core 1: Verifying BGP Sessions

Purpose

Verify the state of BGP sessions with the core devices and distribution devices.

Action

Verify that IBGP sessions are established with the loopbacks of the distribution devices.

Meaning

The IBGP sessions are established with the loopback interfaces of the distribution devices using MP-IBGP with EVPN signaling to form the overlay layer and enable the exchange of EVPN routes.

Core 1: Verifying EVPN Database Information

Purpose

Verify that the EVPN database has been populated correctly.

Action

Verify that the EVPN database is receiving advertisements from the other distribution devices and installing MAC address information for devices attached to the access layer.

The core devices learn these MAC addresses through EVPN.

Meaning

The output above confirms that the EVPN database is properly learning and installing MAC routes for all endpoints. It also shows the relationship between MAC addresses and the VNIs they are associated to: 5001, 5002, and 5003.

Core 1: Verifying Local Switching Table Information

Purpose

Verify that the local switching table has been populated correctly.

Action

Verify that the local switching table is receiving advertisements from the other distribution devices and installing MAC address information for devices attached to the access layer.

Meaning

The output above confirms that the local switching table is correctly learning and installing MAC addresses for all endpoints. It also shows the relationship between MAC addresses, VLANs they are associated to (in this case, VLANs 1, 2, and 3), and their next-hop interface.

Core 2: Verifying BGP Sessions

Purpose

Verify the state of the BGP sessions with the distribution devices.

Action

Verify that IBGP sessions are established with the loopbacks of the distribution devices.

Meaning

The IBGP sessions are established with the loopbacks of the distribution devices using MP-IBGP with EVPN signaling to form the overlay layer and enable the exchange of EVPN routes.

Core 2: Verifying EVPN Database Information

Purpose

Verify that the EVPN database has been populated correctly.

Action

Verify that the EVPN database is receiving advertisements from the other leaf devices and installing MAC address information for devices attached to the access layer.

Meaning

The output above confirms that the EVPN database is properly learning and installing MAC routes for all endpoints. It also shows the relationship between MAC addresses and the VNIs they are associated to: 5001, 5002, and 5003.

Core 2: Verifying Local Switching Table Information

Purpose

Verify that the local switching table has been populated correctly.

Action

Verify that the local switching table is receiving advertisements from the other leaf devices and installing MAC address information for devices attached to the access layer.

Meaning

The output above confirms that the local switching table is correctly learning and installing MAC addresses for all endpoints. It also shows the relationship between MAC addresses, VLANs they are associated to (in this case, VLANs 1, 2, and 3), and their next-hop interface.