cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3759
Views
5
Helpful
3
Replies

VXLAN route leaking between vrf

k.shcherbatykh
Level 1
Level 1

Hello,
I'm trying to implement "centralized route leaking" on VXLAN fabric.

I configure 2 vxlan on leaf(vpc pair) switch and route leaking point on spine switch.
Each vxlan has a workstation connected.
These two vxlan must exchange routes between themselves.

Vxlan1: 172.25.121.0/24 anycast gateway 172.25.121.254
Vxlan2: 172.25.122.0/24 anycast gateway 172.25.122.254

Server1: 172.25.121.1
Server2: 172.25.122.1

I can't see any leaked routest in vrf's routing table:
Servers cannot ping each other.

spine:
nxs-spine-2# show bgp vrf vxtest1l3 all
BGP routing table information for VRF vxtest1l3, address family IPv4 Unicast
BGP table version is 378, Local Router ID is 0.0.0.0
Status: s-suppressed, x-deleted, S-stale, d-dampened, h-history, *-valid, >-best
Path type: i-internal, e-external, c-confed, l-local, a-aggregate, r-redist, I-inject
ed
Origin codes: i - IGP, e - EGP, ? - incomplete, | - multipath, & - backup, 2 - best2

Network Next Hop Metric LocPrf Weight Path
*|i172.25.121.0/24 172.22.53.22 0 100 0 ?
*>i 172.22.53.21 0 100 0 ?
* i172.25.121.1/32 172.22.53.121 100 0 i
*>i 172.22.53.121 100 0 i


What's wrong or missing in my configuration?


P.S.
NX-OS version 9.3(6)

I read the article

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/vxlan/configuration/guide/b-cisco-nexus-9000-series-nx-os-vxlan-configuration-guide-93x/b-cisco-nexus-9000-series-nx-os-vxlan-configuration-guide-93x_chapter_011111.html#d4591...



LEAF configuration:

Network 1:
--------------------

config-profile VXTEST1
vlan 121
vn-segment 30121
name Test_vlan
interface Vlan121
vrf member vxtest1l3
no ip redirects
no ipv6 redirects
ip address 172.25.121.254/24 tag 12345
fabric forwarding mode anycast-gateway
no shutdown
interface nve1
member vni 30121
mcast-group 239.1.1.0
suppress-arp
evpn
vni 30121 l2
rd auto
route-target import auto
route-target export auto

VRF 1 :
---------------------------------
config-profile VXTEST1L3
vlan 3121
vn-segment 50121
interface Vlan3121
vrf member vxtest1l3
ip forward
ipv6 address use-link-local-only
no ip redirects
no ipv6 redirects
mtu 9216
no shutdown
vrf context vxtest1l3
description TEST VLAN 121 for deploy
vni 50121
rd auto
address-family ipv4 unicast
route-target both auto
route-target both auto evpn
address-family ipv6 unicast
route-target both auto
route-target both auto evpn
router bgp 65100
vrf vxtest1l3
address-family ipv4 unicast
advertise l2vpn evpn
redistribute direct route-map fabric-rmap-redist-subnet
maximum-paths ibgp 2
address-family ipv6 unicast
advertise l2vpn evpn
redistribute direct route-map fabric-rmap-redist-subnet

maximum-paths ibgp 2

Network 2:

config-profile VXTEST2
vlan 122
vn-segment 30122
interface Vlan122
vrf member vxtest2l3
no ip redirects
no ipv6 redirects
ip address 172.25.122.254/24 tag 12345
fabric forwarding mode anycast-gateway
no shutdown
interface nve1
member vni 30122
mcast-group 239.1.1.9
suppress-arp
evpn
vni 30122 l2
rd auto
route-target import auto
route-target export auto

VRV 2:
config-profile VXTEST2L3
vlan 3122
vn-segment 50122
interface Vlan3122
vrf member vxtest2l3
ip forward
ipv6 address use-link-local-only
no ip redirects
no ipv6 redirects
mtu 9216
no shutdown
vrf context vxtest2l3
vni 50122
rd auto
address-family ipv4 unicast
route-target both auto
route-target both auto evpn
address-family ipv6 unicast
route-target both auto
route-target both auto evpn
router bgp 65100
vrf vxtest2l3
address-family ipv4 unicast
advertise l2vpn evpn
redistribute direct route-map fabric-rmap-redist-subnet
maximum-paths ibgp 2
address-family ipv6 unicast
advertise l2vpn evpn
redistribute direct route-map fabric-rmap-redist-subnet
maximum-paths ibgp 2

interface nve1
member vni 50122 associate-vrf

--------------------------
SPINE (Leaking point)
--------------------------

VRF 1:
-------------------

interface Vlan3121
vrf member vxtest1l3
vrf context vxtest1l3
description TEST VLAN 121 for deploy
vni 50121
rd auto
address-family ipv4 unicast
route-target both auto
route-target both auto evpn
route-target import 9100:30
route-target import 9100:30 evpn
route-target export 9100:30
route-target export 9100:30 evpn
address-family ipv6 unicast
route-target both auto
route-target both auto evpn
router bgp 65100
vrf vxtest1l3
address-family ipv4 unicast
advertise l2vpn evpn
redistribute direct route-map fabric-rmap-redist-subnet
maximum-paths ibgp 2
address-family ipv6 unicast
advertise l2vpn evpn
redistribute direct route-map fabric-rmap-redist-subnet
maximum-paths ibgp 2


VRF 2:
------------------

interface Vlan3122
vrf member vxtest2l3
vrf context vxtest2l3
vni 50122
rd auto
address-family ipv4 unicast
route-target both auto
route-target both auto evpn
route-target import 9100:30
route-target import 9100:30 evpn
route-target export 9100:30
route-target export 9100:30 evpn
address-family ipv6 unicast
route-target both auto
route-target both auto evpn
router bgp 65100
vrf vxtest2l3
address-family ipv4 unicast
advertise l2vpn evpn
redistribute direct route-map fabric-rmap-redist-subnet
maximum-paths ibgp 2
address-family ipv6 unicast
advertise l2vpn evpn
redistribute direct route-map fabric-rmap-redist-subnet
maximum-paths ibgp 2

 

 

1 Accepted Solution

Accepted Solutions

k.shcherbatykh
Level 1
Level 1

Self found solution

 

New "VXLAN EVPN with Downstream VNI" feature make my day.

There is no longer a need for a so-called central route leaking point.
It is unnecessary to configure all VNIs participating in the route leak on it.
All L3VNIs remain where the DCNM placed them.

No more potentially dangerous re-origination of prefixes at leaking point with hard-to-predict distribution area and possible route dictribution loops.

 

import vrf advertise-vpn
export vrf allow-vpn


The only thing you need to take care of is syncing the route-target export/import configuration across all instances of each l3vni within the VXLAN fabric.

 

Now route leaking feature behave the same way as old good MPLS L3VPN.

View solution in original post

3 Replies 3

k.shcherbatykh
Level 1
Level 1

Self found solution

 

New "VXLAN EVPN with Downstream VNI" feature make my day.

There is no longer a need for a so-called central route leaking point.
It is unnecessary to configure all VNIs participating in the route leak on it.
All L3VNIs remain where the DCNM placed them.

No more potentially dangerous re-origination of prefixes at leaking point with hard-to-predict distribution area and possible route dictribution loops.

 

import vrf advertise-vpn
export vrf allow-vpn


The only thing you need to take care of is syncing the route-target export/import configuration across all instances of each l3vni within the VXLAN fabric.

 

Now route leaking feature behave the same way as old good MPLS L3VPN.

Hello @k.shcherbatykh,

Thank you for letting the community know your solution!

 

Regards,

Julia Ustyugova

Russian Community Moderator

 

Paw_Paw
Level 1
Level 1

Hi

I play a lot with leaking and vxlan in the lab and it looks not that bad. But I do not find an example configuration on the Cisco Documentation. I would like to know if I am doing it on the right way or see what best practice is. I only found some verify commands. Do you have found something?

 

Regards

Review Cisco Networking for a $25 gift card