Ethernet Switching
Highlighted
Ethernet Switching

qfx5100-48S: EVPN AND VXLAN

‎12-15-2016 07:39 AM

Hi everyone,

I have a test lab,The topology diagram is as follows:

 

qfx5100-1---------------qfx5100-2

     |                                  |

     |                                  |

     |                                  |

   host-1                         host-2

 

====================================

configuration:

 

root@qfx5100-1# show | display set 
set version 14.1X53-D35.3
set system host-name qfx5100-1
set system root-authentication encrypted-password "$1$Wi6S7UO9$dwPAk/tS.MRBUxKKnoVoL0"
set system services ssh
set system services telnet
set interfaces xe-0/0/0 mtu 9216
set interfaces xe-0/0/0 unit 0 family ethernet-switching interface-mode access
set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members hosts
set interfaces xe-0/0/36 mtu 9216
set interfaces xe-0/0/36 unit 0 description "To qfx5100-2-xe-0/0/46"
set interfaces xe-0/0/36 unit 0 family inet address 10.10.10.1/30
set interfaces lo0 unit 0 family inet address 10.1.1.1/32
set routing-options router-id 10.1.1.1
set routing-options autonomous-system 65401
set routing-options forwarding-table export load-balance
set protocols bgp group fabric type external
set protocols bgp group fabric family inet unicast
set protocols bgp group fabric family evpn signaling
set protocols bgp group fabric export allow-all
set protocols bgp group fabric multipath multiple-as
set protocols bgp group fabric neighbor 10.10.10.2 description qfx5100-2
set protocols bgp group fabric neighbor 10.10.10.2 peer-as 65402
set protocols evpn vni-options vni 10 vrf-target export target:1:10
set protocols evpn encapsulation vxlan
set protocols evpn extended-vni-list 10
set protocols evpn multicast-mode ingress-replication
set policy-options policy-statement allow-all term allow from protocol direct
set policy-options policy-statement allow-all term allow from route-filter 10.1.1.1/32 exact
set policy-options policy-statement allow-all term allow then accept
set policy-options policy-statement allow-all then accept
set policy-options policy-statement load-balance then load-balance per-packet
set policy-options policy-statement vrf-import term vxlan10 from community vxlan10
set policy-options policy-statement vrf-import term vxlan10 then accept
set policy-options policy-statement vrf-import then reject
set policy-options community vxlan10 members target:1:10
set switch-options vtep-source-interface lo0.0
set switch-options route-distinguisher 10.1.1.1:1
set switch-options vrf-import vrf-import
set switch-options vrf-target target:65401:100
set switch-options vrf-target auto
set vlans hosts vlan-id 10              
set vlans hosts vxlan vni 10
set vlans hosts vxlan ingress-node-replication
root@qfx5100-2# show | display set 
set version 14.1X53-D35.3
set system host-name qfx5100-2
set system root-authentication encrypted-password "$1$Efk1tFQH$7wFoqXtVNu/QrG9ZX/NOW1"
set system services ssh
set system services telnet
set interfaces xe-0/0/0 mtu 9216
set interfaces xe-0/0/0 unit 0 description host
set interfaces xe-0/0/0 unit 0 family ethernet-switching interface-mode access
set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members hosts
set interfaces xe-0/0/36 mtu 9216
set interfaces xe-0/0/36 unit 0 description "To qfx5100-1-xe-0/0/46"
set interfaces xe-0/0/36 unit 0 family inet address 10.10.10.2/30
set interfaces lo0 unit 0 family inet address 10.2.2.2/32
set routing-options router-id 10.2.2.2
set routing-options autonomous-system 65402
set routing-options forwarding-table export load-balance
set protocols bgp group fabric type external
set protocols bgp group fabric family inet unicast
set protocols bgp group fabric family evpn signaling
set protocols bgp group fabric export allow-all
set protocols bgp group fabric multipath multiple-as
set protocols bgp group fabric neighbor 10.10.10.1 description qfx5100-1
set protocols bgp group fabric neighbor 10.10.10.1 peer-as 65401
set protocols evpn vni-options vni 10 vrf-target export target:1:10
set protocols evpn encapsulation vxlan
set protocols evpn extended-vni-list 10
set protocols evpn multicast-mode ingress-replication
set policy-options policy-statement allow-all term allow from protocol direct
set policy-options policy-statement allow-all term allow from route-filter 10.2.2.2/32 exact
set policy-options policy-statement allow-all term allow then accept
set policy-options policy-statement load-balance then load-balance per-packet
set policy-options policy-statement vrf-import term vxlan10 from community vxlan10
set policy-options policy-statement vrf-import term vxlan10 then accept
set policy-options policy-statement vrf-import then reject
set policy-options community vxlan10 members target:1:10
set switch-options vtep-source-interface lo0.0
set switch-options route-distinguisher 10.1.1.2:1
set switch-options vrf-import vrf-import
set switch-options vrf-target target:65401:100
set switch-options vrf-target auto
set vlans hosts vlan-id 10
set vlans hosts vxlan vni 10
set vlans hosts vxlan ingress-node-replication
root@host-1# show | display set 
set version 14.1X53-D35.3
set system root-authentication encrypted-password "$1$tvVqqvaS$f.muCwcISMs2.dFQOlfvz0"
set system services ssh
set system services telnet
set interfaces xe-0/0/0 unit 0 family inet address 192.168.10.1/24
root@host-2# show | display set 
set version 14.1X53-D35.3
set system host-name host-2
set system root-authentication encrypted-password "$1$Vxl1d5Ku$.B1nWvweKPpgTrDReOuW6/"
set system services ssh
set system services telnet
set interfaces xe-0/0/0 unit 0 family inet address 192.168.10.2/24
set interfaces vme unit 0 family inet address 10.11.18.2/24
{master:0}[edit]
root@qfx5100-1# run show route  

inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.1.1.1/32        *[Direct/0] 08:21:11
                    > via lo0.0
10.1.18.0/24       *[Direct/0] 07:38:55
                    > via vme.0
10.1.18.1/32       *[Local/0] 07:38:55
                      Local via vme.0
10.2.2.2/32        *[BGP/170] 00:39:43, localpref 100
                      AS path: 65402 I, validation-state: unverified
                    > to 10.10.10.2 via xe-0/0/36.0
10.10.10.0/30      *[Direct/0] 02:13:47
                    > via xe-0/0/36.0
10.10.10.1/32      *[Local/0] 02:13:47
                      Local via xe-0/0/36.0

:vxlan.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.1.1.1/32        *[Direct/0] 08:11:30
                    > via lo0.0
10.1.18.0/24       *[Direct/0] 07:38:55
                    > via vme.0
10.1.18.1/32       *[Local/0] 00:19:43
                      Local via vme.0
10.10.10.0/30      *[Direct/0] 02:13:47
                    > via xe-0/0/36.0
10.10.10.1/32      *[Local/0] 02:13:47
                      Local via xe-0/0/36.0
10.10.10.2/32      *[Static/1] 00:36:40, metric2 0
                    > to 10.10.10.2 via xe-0/0/36.0

bgp.evpn.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2:10.1.1.2:1::10::ec:13:db:8e:5d:e3/304               
                   *[BGP/170] 00:19:52, localpref 100
                      AS path: 65402 I, validation-state: unverified
                    > to 10.10.10.2 via xe-0/0/36.0
3:10.1.1.1:1::10::10.1.1.1/304               
                   *[EVPN/170] 07:53:55
                      Indirect
3:10.1.1.2:1::10::10.2.2.2/304               
                   *[BGP/170] 00:39:43, localpref 100
                      AS path: 65402 I, validation-state: unverified
                    > to 10.10.10.2 via xe-0/0/36.0

default-switch.evpn.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2:10.1.1.2:1::10::ec:13:db:8e:5d:e3/304               
                   *[BGP/170] 00:19:52, localpref 100
                      AS path: 65402 I, validation-state: unverified
                    > to 10.10.10.2 via xe-0/0/36.0
3:10.1.1.1:1::10::10.1.1.1/304               
                   *[EVPN/170] 07:53:55
                      Indirect
3:10.1.1.2:1::10::10.2.2.2/304               
                   *[BGP/170] 00:36:40, localpref 100
                      AS path: 65402 I, validation-state: unverified
                    > to 10.10.10.2 via xe-0/0/36.0
root@qfx5100-1# run show evpn instance extensive 
Instance: __default_evpn__
  Route Distinguisher: 10.1.1.1:0
  VLAN ID: None
  Per-instance MAC route label: 299776
  MAC database status                     Local  Remote
    MAC advertisements:                       0       0
    MAC+IP advertisements:                    0       0
    Default gateway MAC advertisements:       0       0
  Number of ethernet segments: 0

Instance: default-switch
  Route Distinguisher: 10.1.1.1:1
  Encapsulation type: VXLAN
  MAC database status                     Local  Remote
    MAC advertisements:                       0       1
    MAC+IP advertisements:                    0       0
    Default gateway MAC advertisements:       0       0
  Number of local interfaces: 1 (1 up)
    Interface name  ESI                            Mode             Status
    xe-0/0/0.0      00:00:00:00:00:00:00:00:00:00  single-homed     Up    
  Number of IRB interfaces: 0 (0 up)
  Number of bridge domains: 1
    VLAN  VNI    Intfs / up    IRB intf   Mode             MAC sync  IM route label
    10    10         1   1                Extended         Enabled   10     
  Number of neighbors: 1
    10.2.2.2
      Received routes
        MAC address advertisement:              1
        MAC+IP address advertisement:           0
        Inclusive multicast:                    1
        Ethernet auto-discovery:                0
  Number of peers: 1
    10.10.10.2
      Received routes
        MAC address advertisement:              1
        MAC+IP address advertisement:           0
        Inclusive multicast:                    1
        Ethernet auto-discovery:                0
  Number of ethernet segments: 0
  Router-ID: 10.1.1.1
  Source VTEP interface IP: 10.1.1.1
{master:0}[edit]
root@qfx5100-1# run show evpn database    
Instance: default-switch
VLAN  VNI  MAC address        Active source                  Timestamp        IP address
      10    ec:13:db:8d:fe:e3  xe-0/0/0.0                     Nov 11 18:54:35
      10    ec:13:db:8e:5d:e3  10.10.10.2                     Nov 11 18:33:55

{master:0}[edit]
root@qfx5100-2# run show ethernet-switching table 

MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static
           SE - statistics enabled, NM - non configured MAC, R - remote PE MAC, O - ovsdb MAC)


Ethernet switching table : 2 entries, 2 learned
Routing instance : default-switch
   Vlan                MAC                 MAC      Logical                Active
   name                address             flags    interface              source
   hosts               ec:13:db:8d:fe:e3   D        vtep.32769             10.10.10.1                    
   hosts               ec:13:db:8e:5d:e3   D        xe-0/0/0.0       


root@qfx5100-1# run show ethernet-switching vxlan-tunnel-end-point source 
Logical System Name       Id  SVTEP-IP         IFL   L3-Idx
<default>                 0   10.1.1.1         lo0.0    0  
    L2-RTT                   Bridge Domain              VNID     MC-Group-IP
    default-switch           hosts+10                   10       0.0.0.0        

{master:0}[edit]
root@qfx5100-1# run show ethernet-switching vxlan-tunnel-end-point remote    
Logical System Name       Id  SVTEP-IP         IFL   L3-Idx
<default>                 0   10.1.1.1         lo0.0    0  
 RVTEP-IP         IFL-Idx   NH-Id
 10.10.10.2       549       1678     
    VNID          MC-Group-IP      
    10            0.0.0.0         

{master:0}[edit]
root@qfx5100-1# run show ethernet-switching vxlan-tunnel-end-point remote mac-table 

MAC flags (S -static MAC, D -dynamic MAC, L -locally learned, C -Control MAC
           SE -Statistics enabled, NM -Non configured MAC, R -Remote PE MAC)

Logical system   : <default>
Routing instance : default-switch
 Bridging domain : hosts+10, VLAN : 10, VNID : 10
   MAC                 MAC      Logical          Remote VTEP
   address             flags    interface        IP address
   ec:13:db:8e:5d:e3   D        vtep.32769       10.10.10.2   

root@qfx5100-2# run show ethernet-switching vxlan-tunnel-end-point source 
Logical System Name       Id  SVTEP-IP         IFL   L3-Idx
<default>                 0   10.2.2.2         lo0.0    0  
    L2-RTT                   Bridge Domain              VNID     MC-Group-IP
    default-switch           hosts+10                   10       0.0.0.0        

{master:0}[edit]
root@qfx5100-2# run show ethernet-switching vxlan-tunnel-end-point remote mac-table 

MAC flags (S -static MAC, D -dynamic MAC, L -locally learned, C -Control MAC
           SE -Statistics enabled, NM -Non configured MAC, R -Remote PE MAC)

Logical system   : <default>
Routing instance : default-switch
 Bridging domain : hosts+10, VLAN : 10, VNID : 10
   MAC                 MAC      Logical          Remote VTEP
   address             flags    interface        IP address
   ec:13:db:8d:fe:e3   D        vtep.32769       10.10.10.1  
{master:0}[edit]
root@host-1# run ping 192.168.10.2 rapid count 1000    
PING 192.168.10.2 (192.168.10.2): 56 data bytes
...................................................................................................................................................^C
--- 192.168.10.2 ping statistics ---
148 packets transmitted, 0 packets received, 100% packet loss

All the normal state, Ping results fail?

Thank you !

 

 

 

3 REPLIES 3
Highlighted
Ethernet Switching

Re: qfx5100-48S: EVPN AND VXLAN

‎12-17-2016 03:51 AM

from both the qfx and the hosts run the following commands
>show route 192.168.10.2

>show route 192.168.10.1

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
Ethernet Switching

Re: qfx5100-48S: EVPN AND VXLAN

[ Edited ]
‎06-08-2017 02:20 PM

have you tried performing the following on both of your leaf switches:

 

deactivate switch-options vrf-import vrf-import

if you do not have this statement in your configuration, then junos will automatically create the hidden policies for you!!!

 

if you specify it then you will also need to allow in the  

target:65401:100

other wise you will not get you ESI etc fuctioning as required.

 

example:

set policy-options community evpn-type1 members target:65401:100

set policy-options policy-statement vrf-import term EVPN-Type1-Routes from community evpn-type1
set policy-options policy-statement vrf-import term EVPN-Type1-Routes then accept

set policy-options policy-statement vrf-import term vxlan10 from community vxlan10
set policy-options policy-statement vrf-import term vxlan10 then accept
set policy-options policy-statement vrf-import then reject

 

I based my config on this blog:

https://blog.noc.grnet.gr/2016/09/28/lab-on-evpn-vxlan-on-juniper-qfx5100-switches-3/

 

oh and make sure you are on D.43 otheriwse you will hit a bug in multihoming with ESI

 

Highlighted
Ethernet Switching

Re: qfx5100-48S: EVPN AND VXLAN

‎06-14-2017 10:00 AM

Use Lo0 as source ip address for BGP adjacency as shown below.

 

protocols {

bgp {

group interop {

type internal;

local-address 10.10.10.70;

family evpn {

signaling;

}

neighbor 10.10.10.26;

 

Remove vrf-import under switch-options and use the simple switch options command.

 

Example:

set policy-options policy-statement VRF-IMPORT term Vxlan10 from community vxlan10

set policy-options policy-statement VRF-IMPORT term Vxlan10 then accept

set policy-options community vxlan10 members target:777:777

set switch-options vtep-source-interface lo0.0

set switch-options route-distinguisher 1.1.1.1:100

set switch-options vrf-import VRF-IMPORT

set switch-options vrf-target target:777:777

 

set protocols evpn extended-vni-list 10

set protocols evpn multicast-mode ingress-replication

set protocols evpn vni-options vni 10

 

Repeat the same on other QFX5100 device. Remove policy configuration and use the above example. Ping should go through.

Feedback