Routing

Expand all | Collapse all

EVPN virtual gateway

  • 1.  EVPN virtual gateway

    Posted 12-21-2020 19:07

    Hello everyone. I am having a hard time deploying evpn with virtual-gateway. lets say we have routers PE1,PE2,PE3 - then CE1 off of PE1,  CE2 and CE3 each multi-homed off of PE2 and PE3. so far we have L2/L3 connectivity between all 3 customer sites. then configured PE2 and PE3 with the virtual gateway config.

    PE2:

    set interfaces irb unit 1010 proxy-macip-advertisement
    set interfaces irb unit 1010 virtual-gateway-accept-data
    set interfaces irb unit 1010 family inet address 30.30.30.3/24 virtual-gateway-address 30.30.30.9

    PE3:
    set interfaces irb unit 1010 proxy-macip-advertisement
    set interfaces irb unit 1010 virtual-gateway-accept-data
    set interfaces irb unit 1010 family inet address 30.20.30.4/24 virtual-gateway-address 30.20.30.9


    CE2 and CE3 have no issues, everything works!  I can ping .3/.4 (being the irb IPs), I can ping .9 and can pass traffic to external subnets. CE1 on the other hand can ping CE2 and CE3 but cant ping any of the remote gateway/virtual gateway (being .3/ .4/ .9). I tested this by applying below config to PE1:


    set interfaces irb unit 1010 proxy-macip-advertisement
    set interfaces irb unit 1010 virtual-gateway-accept-data
    set interfaces irb unit 1010 family inet address 30.30.30.2/24 virtual-gateway-address 30.30.30.9

    CE1 can now ping everything else just like CE2/CE3. below is sample config from my two routing instances incase needed, captured from PE2:

    set routing-instances SW1 protocols evpn interface ge-0/0/9.1010
    set routing-instances SW1 protocols evpn default-gateway no-gateway-community
    set routing-instances SW1 vtep-source-interface lo0.0
    set routing-instances SW1 instance-type evpn
    set routing-instances SW1 vlan-id 1010
    set routing-instances SW1 routing-interface irb.1010
    set routing-instances SW1 interface ge-0/0/9.1010
    set routing-instances SW1 route-distinguisher 1.1.1.1:1010
    set routing-instances SW1 vrf-target target:100:1010
    set routing-instances vrf instance-type vrf
    set routing-instances vrf interface irb.1010
    set routing-instances vrf interface lo0.1
    set routing-instances vrf route-distinguisher 1.1.1.1:1111
    set routing-instances vrf vrf-target target:100:1111
    set routing-instances vrf vrf-table-label

    I must be missing something - should I be able to ping gateways that are on remote PE nodes?

    any help is appreciated! 



  • 2.  RE: EVPN virtual gateway

    Posted 12-22-2020 14:58

    are all virtual gateways supposed to be 30.30.30.9 ?  if so, is this a typo on PE3 ?  I see second octet is 20.  should second octet be 30 for both the address and vga ?

    PE3:
    ...
    set interfaces irb unit 1010 family inet address 30.20.30.4/24 virtual-gateway-address 30.20.30.9



    ------------------------------
    Aaron Gould
    Senior Network Engineer
    aaron@gvtc.com
    https://www.linkedin.com/in/agould123/
    ------------------------------



  • 3.  RE: EVPN virtual gateway

    Posted 12-22-2020 17:07

    Hi Aaron, this seems to be a typo here - in my lab all IPs are within range. 

    Update: I decided to move away form virtual gateway and use anycast gateway. so PE1/PE2 have this config now:

    set interfaces irb unit 1010 proxy-macip-advertisement
    set interfaces irb unit 1010 family inet address 30.30.30.9/24

    CE1 still has the same issue. it cant ping .9 (irb IP on remote PE). 




  • 4.  RE: EVPN virtual gateway

    Posted 12-22-2020 22:21

    i setup a quick lab, hopefully to be like yours.  i have irb.10 on pe2 and pe3... i did not put irb.10 on pe1.... (i think that's what you said yours is like)

    info...

    pe-1 is 10.0.0.11 lo0.0
    pe-2 is 10.0.0.12 lo0.0 - irb.10 172.16.0.1/24
    pe-3 is 10.0.0.13 lo0.0 - irb.10 172.16.0.1/24

    ce-1 is 172.16.0.10
    ce-2 is 172.16.0.11
    ce-3 is 172.16.0.12

    i have ...

    ce-1------pe-1---|
    ce-2------pe-2---|MPLS CLOUD BACK HERE
    ce-3------pe-3---|

    ce-1 can ping evpn default gateway on irb.10 of pe-2 and pe-3

    here's pe-1 evpn and bgp tables....

    root@pe-01-mx> show route table my-evpn.evpn.0 | grep 172.16.0.1\/
    2:10.0.0.12:99::10::00:00:00:00:00:0a::172.16.0.1/304 MAC/IP
    2:10.0.0.13:99::10::00:00:00:00:00:0a::172.16.0.1/304 MAC/IP

    root@pe-01-mx> show evpn database
    Instance: my-evpn
    VLAN DomainId MAC address Active source Timestamp IP address
    10 00:00:00:00:00:0a 10.0.0.13 Dec 22 21:17:46 172.16.0.1
    10 c2:13:77:b4:00:00 ge-0/0/8.10 Dec 22 21:11:37 172.16.0.10
    10 c2:14:76:3b:00:00 10.0.0.12 Dec 22 21:15:10 172.16.0.11
    10 c2:15:74:bb:00:00 10.0.0.13 Dec 22 21:11:36 172.16.0.12

    what do you have in those tables on your pe-1 ?



    ------------------------------
    Aaron Gould
    Senior Network Engineer
    aaron@gvtc.com
    https://www.linkedin.com/in/agould123/
    ------------------------------



  • 5.  RE: EVPN virtual gateway

    Posted 12-23-2020 10:02

    Aaron,

    thank you for taking the time and labbing this up! I appreciate it. your setup almost matches mine, I made a minor change to make this easier to understand

    pe-1 is 1.1.1.1 lo0.0 - irb.1010 30.20.30.9/24
    pe-2 is 2.2.2.2 lo0.0 - irb.1010 30.20.30.9/24
    pe-3 is 3.3.3.3 lo0.0

    ce-1 is 30.20.30.7/24
    ce-2 is 30.20.30.8/24
    ce-3 is 30.20.30.1/24

    i have ...

    ce-1------pe-1---|
    ce-2------pe-2---|MPLS CLOUD BACK HERE
    ce-3------pe-3---|

    whats interesting is I have all the routes I should have:

    from PE3:


    root@PE3> show route table SW.evpn.0 | grep 30.20.30.9
    2:1.1.1.1:1010::1010::2c:6b:f5:d7:eb:f0::30.20.30.9/304 MAC/IP
    2:2.2.2.2:1010::1010::2c:6b:f5:44:69:f0::30.20.30.9/304 MAC/IP

    root@PE3> show evpn database (focusing on .1 and .9, ignore the rest)
    Instance: SW
    VLAN DomainId MAC address Active source Timestamp IP address
    1010 00:00:00:00:10:10 2.2.2.2 Dec 23 14:52:12 30.20.30.9
    1010 00:05:86:71:ab:00 00:00:00:00:00:00:00:00:10:10 Dec 23 14:52:32 30.20.30.7
    1010 00:05:86:71:c8:02 ge-0/0/2.1010 Dec 23 14:49:38 30.20.30.1
    1010 2c:6b:f5:9f:9a:f0 00:00:00:00:00:00:00:00:10:10 Dec 23 14:49:59
    1010 2c:6b:f5:e8:6f:f0 00:00:00:00:00:00:00:00:10:10 Dec 23 14:53:36 30.20.30.6

    please ignore the esi portion (00:00:00:00:00:00:00:00:10:10). I am trying to establish connectivity between CE1 (.7) and CE3 (.1). evpn database seems to have all the info needed! its even more interesting that CE3 sees the arp entry for remote gateway (irb on PE1/PE2):

    root@CE3> show arp no-resolve
    MAC Address Address Interface Flags
    2c:6b:f5:9f:9a:f0 30.20.30.5 ge-0/0/2.1010 none
    2c:6b:f5:e8:6f:f0 30.20.30.6 ge-0/0/2.1010 none
    00:05:86:71:ab:00 30.20.30.7 ge-0/0/2.1010 none
    00:00:00:00:10:10 30.20.30.9 ge-0/0/2.1010 none

    arp table from PE1/PE2 if needed:

    root@PE1> show evpn arp-table | match ".1|.9"
    30.20.30.9 00:00:00:00:10:10 irb.1010 SW __SW__
    30.20.30.1 00:05:86:71:c8:02 SW __SW__


    root@PE2> show evpn arp-table | match ".1|.9"
    30.20.30.9 00:00:00:00:10:10 irb.1010 SW __SW__
    30.20.30.1 00:05:86:71:c8:02 SW __SW__

    I see your mac for IRB is 00:00:00:00:00:0a, did you manually configure that on irb>mac? I see all the arp and entries I should see, still cant ping. this could very well be an issue with the images Im using (vmx 20.1R1.11). what images were you using? do you mind sharing your lab config? im really not sure why its not working for me. 

    Thanks 



  • 6.  RE: EVPN virtual gateway

    Posted 12-24-2020 16:09

    So what is the current issue you are having?

    I changed my lab to be more like yours.  All my CE's can ping .9  (see below)

    *** regarding .9, here's pe tables pe1, pe2, pe3

    root@pe-01-mx> show route table SW.evpn.0 | grep 30.20.30.9
    2:1.1.1.1:1010::1010::2c:6b:f5:d3:00:f0::30.20.30.9/304 MAC/IP
    2:2.2.2.2:1010::1010::2c:6b:f5:34:46:f0::30.20.30.9/304 MAC/IP

    root@pe-02-mx> show route table SW.evpn.0 | grep 30.20.30.9
    2:1.1.1.1:1010::1010::2c:6b:f5:d3:00:f0::30.20.30.9/304 MAC/IP
    2:2.2.2.2:1010::1010::2c:6b:f5:34:46:f0::30.20.30.9/304 MAC/IP

    root@pe-03-mx> show route table SW.evpn.0 | grep 30.20.30.9
    2:1.1.1.1:1010::1010::2c:6b:f5:d3:00:f0::30.20.30.9/304 MAC/IP
    2:2.2.2.2:1010::1010::2c:6b:f5:34:46:f0::30.20.30.9/304 MAC/IP

    ce-1#ping 30.20.30.9
    Sending 5, 100-byte ICMP Echos to 30.20.30.9, timeout is 2 seconds:
    !!!!!

    ce-2#ping 30.20.30.9
    Sending 5, 100-byte ICMP Echos to 30.20.30.9, timeout is 2 seconds:
    !!!!!

    ce-3#ping 30.20.30.9
    Sending 5, 100-byte ICMP Echos to 30.20.30.9, timeout is 2 seconds:
    !!!!!



    ------------------------------
    Aaron Gould
    Senior Network Engineer
    aaron@gvtc.com
    https://www.linkedin.com/in/agould123/
    ------------------------------



  • 7.  RE: EVPN virtual gateway

    Posted 12-24-2020 21:54

    Hi Aaron. interesting enough this issue seems to only be related to junos  20.1R1.11! I redeployed the same config on 19.4R1.10 and it works! there should be a way to achieve this if this behavior was changed in 20x release. not sure how to follow up on this issue though!

    here is my config and setup to review:
    pe-1 is 1.1.1.1 lo0.0 - irb.1010 30.20.30.9/24
    pe-2 is 2.2.2.2 lo0.0 - irb.1010 30.20.30.9/24
    pe-3 is 3.3.3.3 lo0.0

    ce-3 is 30.20.30.1/24

    ce-1------pe-1---|
    ce-2------pe-2---|MPLS CLOUD BACK HERE
    ce-3------pe-3---|

    CE3 is able to ping .9 when using image 19.4R1.10 but not when using 20.1R1.11, exact same config!

    my configuration if needed:

    PE1:
    set interfaces irb unit 1010 family inet address 30.20.30.9/24
    set interfaces lo0 unit 0 family inet address 1.1.1.1/32
    set routing-instances SW1 protocols evpn interface ge-0/0/9.1010
    set routing-instances SW1 protocols evpn encapsulation mpls
    set routing-instances SW1 protocols evpn default-gateway advertise
    set routing-instances SW1 vtep-source-interface lo0.0
    set routing-instances SW1 instance-type evpn
    set routing-instances SW1 vlan-id 1010
    set routing-instances SW1 routing-interface irb.1010
    set routing-instances SW1 interface ge-0/0/9.1010
    set routing-instances SW1 route-distinguisher 1.1.1.1:1010
    set routing-instances SW1 vrf-target target:100:1010
    set interfaces ge-0/0/9 description SW1
    set interfaces ge-0/0/9 flexible-vlan-tagging
    set interfaces ge-0/0/9 encapsulation flexible-ethernet-services
    set interfaces ge-0/0/9 unit 1010 encapsulation vlan-bridge
    set interfaces ge-0/0/9 unit 1010 vlan-id 1010

    PE2:
    set interfaces irb unit 1010 family inet address 30.20.30.9/24
    set interfaces lo0 unit 0 family inet address 2.2.2.2/32
    set routing-instances SW1 protocols evpn interface ge-0/0/9.1010
    set routing-instances SW1 protocols evpn encapsulation mpls
    set routing-instances SW1 protocols evpn default-gateway advertise
    set routing-instances SW1 vtep-source-interface lo0.0
    set routing-instances SW1 instance-type evpn
    set routing-instances SW1 vlan-id 1010
    set routing-instances SW1 routing-interface irb.1010
    set routing-instances SW1 interface ge-0/0/9.1010
    set routing-instances SW1 route-distinguisher 2.2.2.2:1010
    set routing-instances SW1 vrf-target target:100:1010
    set interfaces ge-0/0/9 description SW1
    set interfaces ge-0/0/9 flexible-vlan-tagging
    set interfaces ge-0/0/9 encapsulation flexible-ethernet-services
    set interfaces ge-0/0/9 unit 1010 encapsulation vlan-bridge
    set interfaces ge-0/0/9 unit 1010 vlan-id 1010

    PE3:
    set interfaces lo0 unit 0 family inet address 3.3.3.3/32
    set routing-instances SW1 protocols evpn interface ge-0/0/2.1010
    set routing-instances SW1 protocols evpn encapsulation mpls
    set routing-instances SW1 vtep-source-interface lo0.0
    set routing-instances SW1 instance-type evpn
    set routing-instances SW1 vlan-id 1010
    set routing-instances SW1 interface ge-0/0/2.1010
    set routing-instances SW1 route-distinguisher 3.3.3.3:1010
    set routing-instances SW1 vrf-target target:100:1010
    set interfaces ge-0/0/2 description "To CE3-SW1"
    set interfaces ge-0/0/2 flexible-vlan-tagging
    set interfaces ge-0/0/2 mtu 9216
    set interfaces ge-0/0/2 encapsulation flexible-ethernet-services
    set interfaces ge-0/0/2 unit 1010 description SW1
    set interfaces ge-0/0/2 unit 1010 encapsulation vlan-bridge
    set interfaces ge-0/0/2 unit 1010 vlan-id 1010



  • 8.  RE: EVPN virtual gateway

    Posted 12-25-2020 01:01

    i'm glad you found the problem...

    here's one of my PE configs... we did evpn a little differently than each other... also here's my junos version 17.4R1.16

    pe2...
    set chassis network-services enhanced-ip
    set interfaces ge-0/0/8 flexible-vlan-tagging
    set interfaces ge-0/0/8 encapsulation flexible-ethernet-services
    set interfaces ge-0/0/8 unit 1010 encapsulation vlan-bridge
    set interfaces ge-0/0/8 unit 1010 vlan-id 1010
    set interfaces irb unit 1010 family inet address 30.20.30.9/24
    set interfaces lo0 unit 0 family inet address 2.2.2.2/32
    set routing-options router-id 2.2.2.2
    set routing-options autonomous-system 64512
    set protocols mpls interface ge-0/0/9.0
    set protocols bgp group my-ibgp type internal
    set protocols bgp group my-ibgp local-address 2.2.2.2
    set protocols bgp group my-ibgp neighbor 10.0.0.2 family evpn signaling
    set protocols ospf area 0.0.0.1 interface lo0.0 passive
    set protocols ospf area 0.0.0.1 interface ge-0/0/9.0
    set protocols ldp interface ge-0/0/9.0
    set protocols ldp interface lo0.0
    set routing-instances SW instance-type virtual-switch
    set routing-instances SW route-distinguisher 2.2.2.2:1010
    set routing-instances SW vrf-target target:64512:99
    set routing-instances SW protocols evpn extended-vlan-list 1010
    set routing-instances SW bridge-domains bridge-1010 domain-type bridge
    set routing-instances SW bridge-domains bridge-1010 vlan-id 1010
    set routing-instances SW bridge-domains bridge-1010 interface ge-0/0/8.1010
    set routing-instances SW bridge-domains bridge-1010 routing-interface irb.1010



    ------------------------------
    Aaron Gould
    Senior Network Engineer
    aaron@gvtc.com
    https://www.linkedin.com/in/agould123/
    ------------------------------