Switching

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  EVPN loop prevention?

    Posted 12-02-2019 04:25

    Looking at the network drawing I made, there is a possibility that the VLAN from the last-mile provider enters our network on two different physical ports. The VLAN is put in the same EVPN instance.

    The last-mile provider uses this so that we as the ISP are in control of migrating from one physical port to the other.

    I'm wondering if this setup creates a loop, since an EVPN instance is sort of the same as a L2 switch. Or does EVPN have some sort of loop prevention built in?

     

    Screenshot 2019-12-02 at 13.27.19.png



  • 2.  RE: EVPN loop prevention?

    Posted 12-02-2019 04:56

    Hello,

     


    @Beeelzebub wrote:

    Looking at the network drawing I made, there is a possibility that the VLAN from the last-mile provider enters our network on two different physical ports. The VLAN is put in the same EVPN instance.

    The last-mile provider uses this so that we as the ISP are in control of migrating from one physical port to the other.

    I'm wondering if this setup creates a loop, since an EVPN instance is sort of the same as a L2 switch.


     

    There is a L2 loop possibility, no doubt about it.

     

     


    @Beeelzebub wrote:

    does EVPN have some sort of loop prevention built in?

     


    Yes, of course,

    If You are using EVPN Single-Active a.k.a. Active/Standby (A/S), then one of JUNOS PEs (the non-DF PE) will block its CE-facing port/VLAN - more specifically, the CE-facing port or VLAN on non-DF PE will be in "CCC-Down" state.

    If You are using EVPN All-Active a.k.a A/A then You must configure both CE-facing ports in the same LAG   - this is RFC 7432 section https://tools.ietf.org/html/rfc7432#section-8.5

     

    If a bridged network is multihomed to more than one PE in an EVPN
    network via switches, then the support of All-Active redundancy mode
    requires the bridged network to be connected to two or more PEs using a LAG.

     

    Kind of MCLAG but no ICCP and no ICL - all You need is to use same LAG system-id and same ESI for these 2 CE-facing ports on both PEs.

     

    Finally, if You are using CE-facing ports on both PE as EVPN Single Homed (SH) then You shall make Your own loop prevention measures - run STP through EVPN, use Split Horizon on last-mile switch (if supported), etc

     

    HTH

    Thx

    Alex


     

     

     

     

     



  • 3.  RE: EVPN loop prevention?

     
    Posted 12-02-2019 06:19
    Hi Beeelzebub,

    Yes EVPN has a concept of designated forwarding (with ESI LAG) and split-horizon. Please check these out for details:

    https://www.juniper.net/documentation/en_US/junos/topics/concept/evpn-bgp-multihoming-overview.html
    https://www.juniper.net/documentation/en_US/release-independent/solutions/topics/concept/evpn-lag-guide-features.html


    Hope this helps.

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).


  • 4.  RE: EVPN loop prevention?

    Posted 12-02-2019 06:49

    `No one didn't mark yet, has this solution worked???



  • 5.  RE: EVPN loop prevention?

    Posted 12-02-2019 13:07

    To the guys who answered: thanks for your information!

    I can see that a LAG needs to be created in order for EVPN to recognize it as a multihoming setup.

    However, I won't be able to create a LAG with the last-mile provider, so I will need to think of other ways to accomplish this (aside from creating multiple EVPN instances).

    For instance, we use the following family bridge firewall filters to protect the PPPoE clients from receiving PADI packets from other clients ( see below ).

    These filters are used on all logical interfaces, which would I think protect my network from L2 loops?

     

     

    show firewall family bridge 
    filter ACCEPT-PPPOE-ONLY-OUT {
        term discard-PADI {
            from {
                ether-type pppoe-discovery;
                destination-mac-address {
                    ff:ff:ff:ff:ff:ff/48;
                }
            }
            then discard;
        }
        term accept-pppoe {
            from {
                ether-type [ pppoe-discovery pppoe-session ];
            }
            then accept;
        }
        term discard-rest {
            then discard;
        }
    }
    filter ACCEPT-PPPOE-ONLY-IN {
        term accept-pppoe {
            from {
                ether-type [ pppoe-discovery pppoe-session ];
            }
            then accept;
        }
        term discard-rest {
            then discard;
        }
    }
    
    unit 1004 {
        encapsulation vlan-bridge;
        vlan-id 1004;
        family bridge {
            filter {
                input ACCEPT-PPPOE-ONLY-IN;
                output ACCEPT-PPPOE-ONLY-OUT;
            }
        }
    }

     



  • 6.  RE: EVPN loop prevention?
    Best Answer

    Posted 12-02-2019 21:49

    Hello,

     


    @Beeelzebub wrote:

     

    For instance, we use the following family bridge firewall filters to protect the PPPoE clients from receiving PADI packets from other clients ( see below ).

    These filters are used on all logical interfaces, which would I think protect my network from L2 loops?

     

    show firewall family bridge 
    filter ACCEPT-PPPOE-ONLY-OUT {
        term discard-PADI {
            from {
                ether-type pppoe-discovery;
                destination-mac-address {
                    ff:ff:ff:ff:ff:ff/48;
                }
            }
            then discard;
        }
        term accept-pppoe {
            from {
                ether-type [ pppoe-discovery pppoe-session ];
            }
            then accept;
        }
        term discard-rest {
            then discard;
        }
    }
    filter ACCEPT-PPPOE-ONLY-IN {
        term accept-pppoe {
            from {
                ether-type [ pppoe-discovery pppoe-session ];
            }
            then accept;
        }
        term discard-rest {
            then discard;
        }
    }
    
    unit 1004 {
        encapsulation vlan-bridge;
        vlan-id 1004;
        family bridge {
            filter {
                input ACCEPT-PPPOE-ONLY-IN;
                output ACCEPT-PPPOE-ONLY-OUT;
            }
        }
    }

     


     

    No. If You take no other measures and if You get PPPOE Unknown Unicast (from core or last-mile switch), it will loop through Your EVPN PEs and last-mile switch.

    HTH

    Thx

    Alex

     



  • 7.  RE: EVPN loop prevention?

    Posted 12-03-2019 05:07

    Hi Alex,

     

    Thanks, we will create multiple EVPN instances should we have a last-mile provider with two connections to our network.

    We do not have a possibility of creating a LAG with LACP, so the above option will do..

     

    Marijn



  • 8.  RE: EVPN loop prevention?

    Posted 04-04-2021 23:44
    Good thread.

    thanks a lot !!


  • 9.  RE: EVPN loop prevention?

    Posted 09-29-2021 10:51
    HI,
    Any working solution for this?
     I tried using the ESI with static LAG not working. tried to play with the RSTP also can't detect and blocking the looping.