Ethernet Switching
Ethernet Switching

EVPN loop prevention?

[ Edited ]
a week ago

Looking at the network drawing I made, there is a possibility that the VLAN from the last-mile provider enters our network on two different physical ports. The VLAN is put in the same EVPN instance.

The last-mile provider uses this so that we as the ISP are in control of migrating from one physical port to the other.

I'm wondering if this setup creates a loop, since an EVPN instance is sort of the same as a L2 switch. Or does EVPN have some sort of loop prevention built in?

 

Screenshot 2019-12-02 at 13.27.19.png

6 REPLIES 6
Ethernet Switching

Re: EVPN loop prevention?

[ Edited ]
a week ago

Hello,

 


@Beeelzebub wrote:

Looking at the network drawing I made, there is a possibility that the VLAN from the last-mile provider enters our network on two different physical ports. The VLAN is put in the same EVPN instance.

The last-mile provider uses this so that we as the ISP are in control of migrating from one physical port to the other.

I'm wondering if this setup creates a loop, since an EVPN instance is sort of the same as a L2 switch.


 

There is a L2 loop possibility, no doubt about it.

 

 


@Beeelzebub wrote:

does EVPN have some sort of loop prevention built in?

 


Yes, of course,

If You are using EVPN Single-Active a.k.a. Active/Standby (A/S), then one of JUNOS PEs (the non-DF PE) will block its CE-facing port/VLAN - more specifically, the CE-facing port or VLAN on non-DF PE will be in "CCC-Down" state.

If You are using EVPN All-Active a.k.a A/A then You must configure both CE-facing ports in the same LAG   - this is RFC 7432 section https://tools.ietf.org/html/rfc7432#section-8.5

 

If a bridged network is multihomed to more than one PE in an EVPN
network via switches, then the support of All-Active redundancy mode
requires the bridged network to be connected to two or more PEs using a LAG.

 

Kind of MCLAG but no ICCP and no ICL - all You need is to use same LAG system-id and same ESI for these 2 CE-facing ports on both PEs.

 

Finally, if You are using CE-facing ports on both PE as EVPN Single Homed (SH) then You shall make Your own loop prevention measures - run STP through EVPN, use Split Horizon on last-mile switch (if supported), etc

 

HTH

Thx

Alex


 

 

 

 

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Ethernet Switching

Re: EVPN loop prevention?

a week ago
Hi Beeelzebub,

Yes EVPN has a concept of designated forwarding (with ESI LAG) and split-horizon. Please check these out for details:

https://www.juniper.net/documentation/en_US/junos/topics/concept/evpn-bgp-multihoming-overview.html
https://www.juniper.net/documentation/en_US/release-independent/solutions/topics/concept/evpn-lag-gu...


Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.
Ethernet Switching

Re: EVPN loop prevention?

a week ago

`No one didn't mark yet, has this solution worked???

Ethernet Switching

Re: EVPN loop prevention?

a week ago

To the guys who answered: thanks for your information!

I can see that a LAG needs to be created in order for EVPN to recognize it as a multihoming setup.

However, I won't be able to create a LAG with the last-mile provider, so I will need to think of other ways to accomplish this (aside from creating multiple EVPN instances).

For instance, we use the following family bridge firewall filters to protect the PPPoE clients from receiving PADI packets from other clients ( see below ).

These filters are used on all logical interfaces, which would I think protect my network from L2 loops?

 

 

show firewall family bridge 
filter ACCEPT-PPPOE-ONLY-OUT {
    term discard-PADI {
        from {
            ether-type pppoe-discovery;
            destination-mac-address {
                ff:ff:ff:ff:ff:ff/48;
            }
        }
        then discard;
    }
    term accept-pppoe {
        from {
            ether-type [ pppoe-discovery pppoe-session ];
        }
        then accept;
    }
    term discard-rest {
        then discard;
    }
}
filter ACCEPT-PPPOE-ONLY-IN {
    term accept-pppoe {
        from {
            ether-type [ pppoe-discovery pppoe-session ];
        }
        then accept;
    }
    term discard-rest {
        then discard;
    }
}
unit 1004 {
    encapsulation vlan-bridge;
    vlan-id 1004;
    family bridge {
        filter {
            input ACCEPT-PPPOE-ONLY-IN;
            output ACCEPT-PPPOE-ONLY-OUT;
        }
    }
}

 

Ethernet Switching
Solution
Accepted by topic author Beeelzebub
a week ago

Re: EVPN loop prevention?

a week ago

Hello,

 


@Beeelzebub wrote:

 

For instance, we use the following family bridge firewall filters to protect the PPPoE clients from receiving PADI packets from other clients ( see below ).

These filters are used on all logical interfaces, which would I think protect my network from L2 loops?

 

show firewall family bridge 
filter ACCEPT-PPPOE-ONLY-OUT {
    term discard-PADI {
        from {
            ether-type pppoe-discovery;
            destination-mac-address {
                ff:ff:ff:ff:ff:ff/48;
            }
        }
        then discard;
    }
    term accept-pppoe {
        from {
            ether-type [ pppoe-discovery pppoe-session ];
        }
        then accept;
    }
    term discard-rest {
        then discard;
    }
}
filter ACCEPT-PPPOE-ONLY-IN {
    term accept-pppoe {
        from {
            ether-type [ pppoe-discovery pppoe-session ];
        }
        then accept;
    }
    term discard-rest {
        then discard;
    }
}
unit 1004 {
    encapsulation vlan-bridge;
    vlan-id 1004;
    family bridge {
        filter {
            input ACCEPT-PPPOE-ONLY-IN;
            output ACCEPT-PPPOE-ONLY-OUT;
        }
    }
}

 


 

No. If You take no other measures and if You get PPPOE Unknown Unicast (from core or last-mile switch), it will loop through Your EVPN PEs and last-mile switch.

HTH

Thx

Alex

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Ethernet Switching

Re: EVPN loop prevention?

a week ago

Hi Alex,

 

Thanks, we will create multiple EVPN instances should we have a last-mile provider with two connections to our network.

We do not have a possibility of creating a LAG with LACP, so the above option will do..

 

Marijn