Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1410
Views
5
Helpful
31
Replies

VXLAN + BGP-EVPN over the internet (IPv6) on vPC (Nexus 93180YC-FX)

Vitalium
Level 1
Level 1

‎12-10-2024 02:31 AM - edited ‎12-10-2024 02:38 AM

Hello everyone!

Please help to get rid of the VXLAN over internet issues.
We have many sites with Nexuses 93180YC-FX (in vPC chassis) and want to combine them into single L2 segment at least for management network.

2 of sites should be route-reflectors the others will be route-reflector-clients.
But current goal is to get VXLAN operational between 2 sites only.

Constraints and pre-requisites:

  • VXLAN:
    • VXLAN requires to be run loopback interface.
    • We need that IPs to be visible on the internet.
    • To run on vPC I have used the second any-cast loopback.
    • I decided to use /128 IPv6 addresses.
  • BGP EVPN:
    • Both sites use the same AS number and there are configured some IPv4/IPv6 networks.
    • Neighbors are located far from each other, so we need configure eBGP and multi-hop.
    • I decided to use private ASN for peering for neighbors to be not considered as iBGP.

Common part of the config:

 

 

nv overlay evpn
feature bgp
feature interface-vlan
feature vn-segment-vlan-based
feature vpc
feature nv overlay

vlan 3
  name VXLANTEST
  vn-segment 10003

interface nve1
  no shutdown
  host-reachability protocol bgp
  source-interface loopback0 anycast loopback1
  member vni 10003
    ingress-replication protocol bgp

router bgp <public ans>
  ! router-id <local ipv4>
  address-family l2vpn evpn
  allow-vni-in-ethertag
  ! neighbors configs...

evpn
  vni 10003 l2
  rd auto
  route-target import auto
  route-target export auto

 

 

We have sites #6 and #8, so neighbors config are similar except digits 6 & 8. Below is an example of site #6 config:

 

 

interface Vlan3
  ip address 10.1.6.1/16

interface loopback0
  ipv6 address bad:face:6::aaaa/128

interface loopback1
  ipv6 address bad:face:6::ba/128

! BGP section below
neighbor bad:face:8::ba
  remote-as 65008
  local-as 65006
  update-source loopback1
  disable-connected-check
  ebgp-multihop 32
  address-family l2vpn evpn
    allowas-in 3
  send-community
  send-community extended

 

 

vPC peer has the same config except interface loopback0 — ipv6 address bad:face:6::bbbb/128.

Debug commands and their outputs

# show bgp session
bad:face:8::ba 65008 0 16:14:07|00:00:48|00:00:16 E 179/20558 0/0

SUCCESS: BGP Sessions established

 

# show bgp l2vpn evpn vni-id 10003
Route Distinguisher: <local bgp router-id>:32770 (L2VNI 10003)
*>l[2]:[0]:[0]:[48]:[062c.2bd4.89dc]:[0]:[0.0.0.0]/216
bad:face:6::ba 100 32768 i
*>e[2]:[0]:[0]:[48]:[c27e.3bf4.23fd]:[0]:[0.0.0.0]/216
bad:face:8::ba 0 65006 65008 202656 i
*>l[3]:[0]:[128]:[bad:face:6::ba]/184
bad:face:6::ba 100 32768 i
*>e[3]:[0]:[128]:[bad:face:8::ba]/184
bad:face:8::ba 0 65006 65008 202656 i

SUCCESS: we see local and remote MAC addresses.
FAIL: We see only MAC route and no MAC-IP routes.

 

# show mac address-table vlan 3
VLAN MAC Address Type age Secure NTFY Ports
---------+-----------------+--------+---------+------+----+------------------
C 3 c27e.3bf4.23fd dynamic NA F F nve1(bad:face:8::ba)
+ 3 062c.2bd4.89dc dynamic NA F F vPC Peer-Link

SUCCESS: We see remote MAC addresses in the mac address-table.

 

# show ip arp vlan 3
Address Age MAC Address Interface Flags
10.1.6.2 00:12:07 003a.9c1c.6ae7 Vlan3
10.1.6.253 00:00:03 062c.2bd4.89dc Vlan3 +
10.1.8.2 00:00:19 INCOMPLETE Vlan3

FAIL: we don't see here any entries with remote MAC addresses.

 

# show nve peers
Interface Peer-IP State LearnType Uptime Router-Mac
--------- -------------------------------------- ----- --------- -------- -----------------
nve1 bad:face:8::ba Up CP 00:19:09 n/a

SUCCESS: we see raised up peer.
FAIL: Router-Mac is n/a (probably that is the reason).

I tried to specify virtual-rmac and advertise it (along with advertise-pip in BGP scope) but have no luck.
Neither switches nor hosts can't ping each other.

Can anyone please advice anything...

Labels:
0 Helpful
31 Replies 31

nidamen
Cisco Employee
Cisco Employee

‎12-21-2024 11:07 PM

If your doing this over the internet with VxLan your most likely do not have jumbo frame support. There for your MTU should reflect this. Lots of good info on MTU, BGP mtu discovery and if your looking for L2 extension yes this will work but all the host must have a lower mtu hardcode in their settings. 

0 Helpful

Vitalium
Level 1
Level 1
In response to nidamen

‎12-22-2024 12:21 AM

Thank you for your comment! I know this, on my hosts there is already set MTU 1446. But the problem is that BGP doesn’t work as expected. I see Type-2 MAC routes but no MAC-IP ones. Could you advise what to do to make this work?

0 Helpful

nidamen
Cisco Employee
Cisco Employee
In response to Vitalium

‎12-22-2024 02:14 AM

Please provide the entire config due to things that can cause this issue. Why are you doing IPv6? Not saying it will not work but I doubt it being tested as much as IPv4.

 

what version of nexus? 

 

 

0 Helpful

Vitalium
Level 1
Level 1
In response to nidamen

‎12-22-2024 02:25 AM

Thank you in advance for your help!

I remove some sensitive data and pasted "show run" command at pastebin.

I use IPv6 because I found that this is the only way to use public IP on loopback interface.

0 Helpful

Pavel Tarakanov
Cisco Employee
Cisco Employee

‎12-22-2024 11:03 PM

To get MAC-IP type-2 routes, please configure SVI as anycast gateway

 

https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/103x/configuration/vxlan/cisco-nexus-9000-series-nx-os-vxlan-configuration-guide-release-103x/m_configuring_vxlan_bgp_evpn.html

Configuring SVI for Host-Facing VXLAN Routing part. Additionally add L3VNI for tenant VRF where all these SVIs should be.

0 Helpful

Vitalium
Level 1
Level 1
In response to Pavel Tarakanov

‎12-23-2024 12:14 AM

Thank you for the hint Pavel!

Added the following on two vPC peers at site #6 (the same with mac ...0008 on site #8):

fabric forwarding anycast-gateway-mac 0000.face.0006
int vlan3
  fabric forwarding mode anycast-gateway

But unfortunately nothing changed

0 Helpful

Pavel Tarakanov
Cisco Employee
Cisco Employee
In response to Vitalium

‎12-23-2024 12:22 AM

Please add vrf member configuration and configure VRF/L3VNI for tenants accordingly.

0 Helpful

Vitalium
Level 1
Level 1
In response to Pavel Tarakanov

‎12-23-2024 12:46 AM

Can you please advise what exactly I should do?

At int nve1 level I already have:

member vni 10003
  ingress-replication protocol bgp

Should I remove this and add member vni 10003 associate-vrf instead? I can't override it, got en error "Cannot associate a multicast group or vrf to an ingress replication vni".

I have added the following block:

vrf context VXLAN
  vni 10003
  rd auto
  address-family ipv4 unicast
    route-target both auto
    route-target both auto evpn

And now I see changes in show bgp l2vpn evpn command but still no MAC-IP routes.

Route Distinguisher: 31.134.200.150:6    (L3VNI 10003)
  e[2]:[0]:[0]:[48]:[c27e.3bf4.23fd]:[0]:[0.0.0.0]/216
                      2a13:f580:8::ba                                0 65006 65008 202656 i
  e[3]:[0]:[128]:[2a13:f580:8::ba]/184
                      2a13:f580:8::ba                                0 65006 65008 202656 i

 

0 Helpful

Pavel Tarakanov
Cisco Employee
Cisco Employee
In response to Vitalium

‎12-23-2024 12:55 AM

For L3VNI you need new VLAN and VRF, like:

 

vlan 10
vn-segment 10010

vrf context VXLAN
  vni 10010
  rd auto
  address-family ipv4 unicast
    route-target both auto
    route-target both auto evpn

interface nve 1
member vni 10010 associate-vrf

int vl 10
vrf member VXLAN
ip forward

 

0 Helpful

Vitalium
Level 1
Level 1
In response to Pavel Tarakanov

‎12-23-2024 01:43 AM

Thanks, I have added this but now do not see L3VNI section in "show bgp l2vpn evpn" output.

0 Helpful

Pavel Tarakanov
Cisco Employee
Cisco Employee
In response to Vitalium

‎12-23-2024 01:55 AM

Please share output for

show nve vni

show nve peers

show ip int br vrf all

show ipv6 int br vrf all

 

Also, you need to add vlan 3 to BGP ipv4 under vrf

 

router bgp <AS>

vrf VXLAN

address-family ipv4 uni

network <vlan3 network>

address-family ipv6 uni

And I don't see any ip address under int vl3. Is it configured?

In general, please follow NX-OS VXLAN configuration guide to make it work, as it seems you have configured it only partially, and it's hard to determine which part are missed.

0 Helpful

Vitalium
Level 1
Level 1
In response to Pavel Tarakanov

‎12-23-2024 02:22 AM

show nve vni

Interface VNI      Multicast-group   State Mode Type [BD/VRF]      Flags
--------- -------- ----------------- ----- ---- ------------------ -----
nve1      10003    UnicastBGP        Up    CP   L2 [3]
nve1      10010    n/a               Down  CP   L3 [VXLAN]


show nve peers

Interface Peer-IP                                 State LearnType Uptime   Router-Mac
--------- --------------------------------------  ----- --------- -------- -----------------
nve1      2a13:f580:6::ba                         Up    CP        01:55:24 n/a


show ip int br vrf all

IP Interface Status for VRF "default"(1)
Interface            IP Address      Interface Status
Vlan1                91.216.155.250  protocol-up/link-up/admin-up
Vlan2                10.0.8.250      protocol-up/link-up/admin-up
Vlan3                10.1.8.2        protocol-up/link-up/admin-up
Eth1/45              31.28.91.122    protocol-up/link-up/admin-up

! omit non-related

IP Interface Status for VRF "VXLAN"(6)
Interface            IP Address      Interface Status
Vlan10               forward-enabled protocol-down/link-down/admin-down


show ipv6 int br vrf all

IPv6 Interface Status for VRF "default"(1)
Interface        IPv6 Address/Link-local Address           Interface Status
                                                           prot/link/admin
Vlan1            2a13:f580:8::250                          up/up/up
                 fe80::7e21:eff:fee3:72a7
Lo0              2a13:f580:8::bbbb                         up/up/up
                 fe80::7e21:eff:fee3:72a0
Lo1              2a13:f580:8::ba                           up/up/up
                 fe80::7e21:eff:fee3:72a0
Eth1/45          2a10:6740::23:2                           up/up/up
                 fe80::7e21:eff:fee3:72a7

! omit non-related
IPv6 Interface Status for VRF "VXLAN"(6)
Interface        IPv6 Address/Link-local Address           Interface Status
                                                           prot/link/admin

Additional settings to BGP has been also added.

VLAN 3 have IP addresses:
rs1-gb: 10.1.8.1/16
rs2-gb: 10.1.8.2/16
rs1-nl: 10.1.6.1/16
rs2-nl: 10.1.8.2/16

By the way, I can ping to/from rs2-gb (where anycast VTEP IPv6 address originate) to rs1-nl!
But it seems after applying anycast-gateway configuration I can't ping vPC peers:
no ping between rs1-gb and rs2-gb (10.1.8.1 and 10.1.8.2).
no ping between rs1-nl and rs2-nl (10.1.6.1 and 10.1.6.2).

0 Helpful

Pavel Tarakanov
Cisco Employee
Cisco Employee
In response to Vitalium

‎12-23-2024 02:34 AM

1) move int vl 3 to vrf VXLAN

int vl 3

vrf member VXLAN

 

2) Unshut int vl 10, it should move vni 10010 in "sh nve vni" output to up state

3) What interface used for connectivity to NVE peer?

An SVI in any VRF remains not supported as VXLAN uplink.

https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/103x/configuration/vxlan/cisco-nexus-9000-series-nx-os-vxlan-configuration-guide-release-103x/m_configuring_vxlan_bgp_evpn.html

4) How source loopback for NVE configured?

For VPC it should be configured in specific way:

vPC Considerations for VXLAN Deployment

https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/103x/configuration/vxlan/cisco-nexus-9000-series-nx-os-vxlan-configuration-guide-release-103x/m_configuring_vxlan_93x.html

0 Helpful

Vitalium
Level 1
Level 1
In response to Pavel Tarakanov

‎12-23-2024 03:03 AM

1, 2) Done.

3) sh ru int nve1:

interface nve1
  no shutdown
  host-reachability protocol bgp
  advertise virtual-rmac
  virtual-rmac 0000.cafe.0008
  source-interface loopback0 anycast loopback1
  member vni 10003
    ingress-replication protocol bgp
  member vni 10010 associate-v

4) sh ru int lo re 0|1

interface loopback0
  ipv6 address 2a13:f580:8::bbbb/128

interface loopback1
  ipv6 address 2a13:f580:8::ba/128

Also I have changed VLAN3 IP to be the same for local VTEPs and as a result I can't ping that IPs anymore.

Also I discovered some changes in show nve peers. I see non-anycast IPs (that configured on lo0) and MACs of the routers:

rs2-gb# show nve peers
Interface Peer-IP State LearnType Uptime Router-Mac
--------- -------------------------------------- ----- --------- -------- -----------------
nve1 2a13:f580:6::ba Up CP 02:43:33 n/a
nve1 2a13:f580:6::aaaa Up CP 00:19:34 003a.9c17.8e47


rs1-nl# show nve peers
Interface Peer-IP                                 State LearnType Uptime   Router-Mac
--------- --------------------------------------  ----- --------- -------- -----------------
nve1      2a13:f580:8::ba                         Up    CP        02:45:59 n/a
nve1      2a13:f580:8::bbbb                       Up    CP        00:20:43 7c21.0ee3.72a7

 

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card