Switching

Expand all | Collapse all

Q in VNI and overlapping vlans in a evpn/vxlan ip fabric - is this configuration supposed to work?!

Jump to Best Answer
  • 1.  Q in VNI and overlapping vlans in a evpn/vxlan ip fabric - is this configuration supposed to work?!

    Posted 03-24-2019 11:30

    Hello, we have bought a few QFX5120 switches, 

    Our company is going to offer colocation in our new datacenter, and I intend to use evpn with vxlan in this setup.

    I will not route any customer traffic on my switches, because I/they will do all routing externally. 

    Therefor, each customer needs to be able to use their own vlans. 

     

    I have a spine and leaf topology. I am using eBGP for underlay to distribute loopbacks. I use iBGP in a full mesh between leafes to exchange EVPN information.

     

    Take note, I did get evpn with vxlan working when I used regular "trunk" interfaces. However, using that approach, I cannot have overlapping VLANS on the same switch, which I need to work in my colo-case.

     

    To my understanding, I need to use encapsulation flexible-ethernet-services, and put every one customer interface in a vlan configuration, with encapsulation vlan-bridge. I understand this as creating seperate bridges for each vlan configuration? Finally I use encapsulate-inner-vlan on the bridge-vxlan config, something like this;

     

     

    olof@o12-ls01> show configuration interfaces xe-0/0/7 | display set 
    set interfaces xe-0/0/7 description "TEST Customer123"
    set interfaces xe-0/0/7 vlan-tagging
    set interfaces xe-0/0/7 mtu 9000
    set interfaces xe-0/0/7 encapsulation flexible-ethernet-services
    set interfaces xe-0/0/7 unit 100 description TEST
    set interfaces xe-0/0/7 unit 100 encapsulation vlan-bridge
    set interfaces xe-0/0/7 unit 100 vlan-id-list 1-4094
    
    olof@o12-ls01> show configuration vlans Customer123_test | display set 
    set vlans Customer123_test interface xe-0/0/7.100
    set vlans Customer123_test vxlan vni 200123
    set vlans Customer123_test vxlan encapsulate-inner-vlan
    set vlans Customer123_test vxlan ingress-node-replication
    
    set protocols evpn encapsulation vxlan
    set protocols evpn multicast-mode ingress-replication
    set protocols evpn extended-vni-list all
    set protocols l2-learning decapsulate-accept-inner-vlan

     

     

     

    I do see records in evpn database showing up from my customers, who are sending me vlan tagged frames.

    However, they are unable to contact each other.

     

    olof@o12-ls01> show evpn database 
    Instance: default-switch
    VLAN DomainId MAC address Active source Timestamp IP address
    200123 00:50:56:a7:52:c1 10.18.255.35 Mar 24 18:08:15 172.18.66.22
    200123 00:50:56:a7:56:8b xe-0/0/7.100 Mar 24 18:07:50 172.18.66.14
    200123 00:50:56:a7:66:46 xe-0/0/7.100 Mar 24 18:07:49 172.18.66.13
    
    olof@o12-ls01> show ethernet-switching table
    ...
    name address flags interface source
    Customer123_test 00:50:56:a7:52:c1 D vtep.32769 10.18.255.35 
    Customer123_test 00:50:56:a7:56:8b D xe-0/0/7.100 
    Customer123_test 00:50:56:a7:66:46 D xe-0/0/7.100

     

     

     

    And this is my system version.

    olof@o12-ls01> show version 
    ...
    Hostname: o12-ls01
    Model: qfx5120-48y-8c
    Junos: 18.3R1.11 flex
    JUNOS OS Kernel 64-bit FLEX [20180816.8630ec5_builder_stable_11]

     

     

    I used forwarding-options analyzer, but I was only able to see traffic one way. I could see Q in the vxlan packet, which is great, however, no traffic was still being exchanged between hosts. 

     


    #vxlan
    #QinQ


  • 2.  RE: Q in VNI and overlapping vlans in a evpn/vxlan ip fabric - is this configuration supposed to work?!

    Posted 03-24-2019 17:02

    I changed my vlan-id-list to NOT include vlan id 1. Now I successfully can ping the other side, with Q in VNI. 

     

    olof@o12-ls01# show interfaces xe-0/0/7 | display set
    set interfaces xe-0/0/7 vlan-tagging
    set interfaces xe-0/0/7 mtu 9000
    set interfaces xe-0/0/7 encapsulation flexible-ethernet-services
    set interfaces xe-0/0/7 unit 100 encapsulation vlan-bridge
    set interfaces xe-0/0/7 unit 100 vlan-id-list 2-4094

    leaf switch 2. Just testing slightly different config, but is compatible with above evpn.

    olof@o12-ls02# show interfaces xe-0/0/7 | display set
    set interfaces xe-0/0/7 flexible-vlan-tagging
    set interfaces xe-0/0/7 mtu 9000
    set interfaces xe-0/0/7 encapsulation extended-vlan-bridge
    set interfaces xe-0/0/7 unit 100 vlan-id-list 2-4094


    https://imgur.com/a/rotXxpJ TAG: 0x8100 vlan id 59 - traffic works! 

     

    *However* if I include vlan ID 1 in the vlan id list, I somehow get vlan tag 3 in the packets?!, and everything breaks... Im confused? 

    https://imgur.com/a/ASVsU77

     

     



  • 3.  RE: Q in VNI and overlapping vlans in a evpn/vxlan ip fabric - is this configuration supposed to work?!
    Best Answer

     
    Posted 03-24-2019 21:05

    Hi OlofL,

     

    If flexible-vlan-tagging achieves your desired operation, then please its supported configuration is outlined here and the config you have looks alright:

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/evpn-vxlan-flexible-vlan-tag.html

     

    Regarding VLAN 1, please check the VXLAN constraints part for this note:

    https://www.juniper.net/documentation/en_US/junos/topics/concept/vxlan-constraints-qfx-series.html

     

    "When configuring a VLAN ID for a VXLAN, we strongly recommend using a VLAN ID of 3 or higher. If you use a VLAN ID of 1 or 2, replicated broadcast, multicast, and unknown unicast (BUM) packets for these VXLANs might be untagged, which in turn might result in the packets being dropped by a device that receives the packets."

     

    Hope this helps.

     

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).