Re: BGP EVPN VPWS - Cisco & Juniper - Traffic withdrawn - Page 3

Jerems · ‎09-23-2024

Hi dear community,

I am facing an issue with the following setup :

Ping is not OK for the BGP EVPN VPWS Service (Vlan / EVC 20).

Here is the configuration of the involed PE :

Cisco PE ISR1111:

interface GigabitEthernet0/0/1
 no ip address
 negotiation auto
 !
 service instance 20 ethernet
  encapsulation dot1q 20
!
l2vpn evpn instance 20 point-to-point
 route-target export 65003:20
 route-target import 65003:20
 no auto-route-target
 vpws context EVPN-12120
  service target 121201 source 121202
  member GigabitEthernet0/0/1 service-instance 20
!
router bgp 65003
 bgp router-id 10.0.0.21
 bgp log-neighbor-changes
 neighbor 10.0.0.1 remote-as 65003
 neighbor 10.0.0.1 update-source Loopback0
 !
 address-family l2vpn evpn
  neighbor 10.0.0.1 activate
  neighbor 10.0.0.1 send-community both
  neighbor 10.0.0.1 soft-reconfiguration inbound
 exit-address-family

JUNIPER PE SRX300:

set interfaces ge-0/0/5 unit 20 description "vlan l2vpn-test-Evpn-vpws_Bgp_Signaling"
set interfaces ge-0/0/5 unit 20 encapsulation vlan-ccc
set interfaces ge-0/0/5 unit 20 vlan-id 20
!
set policy-options policy-statement L2Vpn-evpn-12120-Export term from-L2Vpn-evpn-12120 then community add Rt-L2Vpn-evpn-12120
set policy-options policy-statement L2Vpn-evpn-12120-Export term from-L2Vpn-evpn-12120 then accept
set policy-options policy-statement L2Vpn-evpn-12120-Import term from-L2Vpn-evpn-12120 from community Rt-L2Vpn-evpn-12120
set policy-options policy-statement L2Vpn-evpn-12120-Import term from-L2Vpn-evpn-12120 then accept
!
set policy-options community Rt-L2Vpn-evpn-12120 members target:65003:20
!
set routing-instances evpn-12120 protocols evpn interface ge-0/0/5.20 vpws-service-id local 121201
set routing-instances evpn-12120 protocols evpn interface ge-0/0/5.20 vpws-service-id remote 121202
set routing-instances evpn-12120 protocols evpn no-control-word
set routing-instances evpn-12120 interface ge-0/0/5.20
set routing-instances evpn-12120 description "BGP EVPN-VPWS"
set routing-instances evpn-12120 instance-type evpn-vpws
set routing-instances evpn-12120 route-distinguisher 10.0.0.1:20
set routing-instances evpn-12120 vrf-import L2Vpn-evpn-12120-Import
set routing-instances evpn-12120 vrf-export L2Vpn-evpn-12120-Export
!
set protocols bgp group Bgp-Evpn-Signaling type internal
set protocols bgp group Bgp-Evpn-Signaling local-address 10.0.0.1
set protocols bgp group Bgp-Evpn-Signaling family evpn signaling
set protocols bgp group Bgp-Evpn-Signaling neighbor 10.0.0.21

I can see some drops on the RX side of the Cisco PE :

VC is up but a ping from station A to B does not work.

PING 192.168.20.2 (192.168.20.2) 56(84) bytes of data.
From 192.168.20.1 icmp_seq=1 Destination Host Unreachable
From 192.168.20.1 icmp_seq=2 Destination Host Unreachable
From 192.168.20.1 icmp_seq=3 Destination Host Unreachable
From 192.168.20.1 icmp_seq=5 Destination Host Unreachable
From 192.168.20.1 icmp_seq=8 Destination Host Unreachable
From 192.168.20.1 icmp_seq=11 Destination Host Unreachable

A packet capture on interface Gi0/0/0 on the Cisco PE shows the packet from Host A arriving at the Cisco PE (ARP request) but it does not exit the router on interface Gi0/0/1 towards Host B.

Any idea folks ?

Thanks in advance for your kind help.

Best Regards,

Jerems

Jerems · ‎09-27-2024

Hi,

Yes it is :

My goal was to bring up the point-to-point one (EVPN VPWS).

Thanks and Regards,

Jerems

MHM Cisco World · ‎09-27-2024

I think you can use both vlan-based and point-to-point

Try and see result.

Sorry I make it long for ypu but l2vpn is hard to troubleshoot

MHM

Jerems · ‎09-27-2024

Let me check this afternoon.

Thanks and Regards,

Jerems

MHM Cisco World · ‎10-01-2024

Did you check vlan-based ??

MHM

Jerems · ‎10-01-2024

Oups sorry not yet.

Let me test it right now.

Regards,

Jerems · ‎10-01-2024

Here is the config

l2vpn evpn
 logging vpws vc-state
 router-id Loopback0
!
l2vpn evpn instance 20 vlan-based
 rd 10.0.0.21:65003
 route-target export 65003:20
 route-target import 65003:20
 no auto-route-target
 replication-type ingress
!
bridge-domain 20 
 member GigabitEthernet0/0/1 service-instance 20
 member evpn-instance 20

and the status :

jey-isr1k-pe-01#sh l2vpn evpn evi 20 detail 
EVPN instance:       20 (VLAN Based)
  RD:                10.0.0.21:65003 (cfg)
  Import-RTs:        65003:20 
  Export-RTs:        65003:20 
  Per-EVI Label:     none
  State:             Established
  Replication Type:  Ingress
  Encapsulation:     mpls
  IP Local Learn:    Enabled (global)
  Adv. Def. Gateway: Disabled (global)
  Bridge Domain:     20
    Ethernet-Tag:    0
    BUM Label:       147
    Per-BD Label:    17
    BDI Label:       none
    State:           Established
    Flood Suppress:  Attached
    Access If:       
    VRF:             
    IPv4 IRB:        Disabled
    IPv6 IRB:        Disabled
    Pseudoports:
      GigabitEthernet0/0/1 service instance 20
        Routes: 1 MAC, 0 MAC/IP

Regards,

Jerems

Jerems · ‎10-01-2024

I would need to adapt the Juniper config now.

MHM Cisco World · ‎10-01-2024

But we decide to use both with

L2vpn instance

Point-to-point & vlan-based

MHM

Jerems · ‎10-01-2024

Sorry i didn't catch it but i guess i have to choose and can not mix it.

Regards,

MHM Cisco World · ‎10-02-2024

Yes I mean mix can you try

MHM

Jerems · ‎10-02-2024

I guess i will have to choose one separate instance ID per each type of evpn.

Giuseppe Larosa · ‎10-03-2024

Hello @Jerems and @MHM Cisco World ,

just to recap during the tests performed by OP interoperability issues have arised.

a) at the control plane the presence of absence fo the pseudowire control word is not signalled in MP BGP AF evpn etc.

b)

in the data plane when using port based EPL service model:

The Cisco IOS XE uses a double stack of 802.1Q with external being with VLAN-ID=0 The internal carries the user traffic original VLAN-ID 20 unchanged.

The Juniper side carries the original frame with single 802.1Q header with VLAN-ID =20.

no communication is possible because on the Cisco side the packets received are dropped. ( what happens on the Juniper SRX300 side it is still not clear I may have missed something).

On the Cisco side the use of the double 802.1Q may be an implementation choice. (forwarding plane optimization ?, the need or desire to reuse code written for Q in Q ? etc)

However , as far as we know up to now there is no option to disable this double VLAN tagging on Cisco side.

@Jerems is the feature officially supported on Juniper SRX300 ? is it supported on Cisco ISR 1100 ?

Hope to help

Giuseppe

MHM Cisco World · ‎10-04-2024

MPLS Layer 2 VPNs Configuration Guide, Cisco IOS XE 17 (Cisco ASR 900 Series) - EVPN Single-Homing Over MPLS [Cisco ASR 900 Series Aggregation Services Routers] - Cisco

I think this what you looking for and I think I was correct by using vlan-based
check it

MHM

Jerems · ‎10-04-2024

Hi @MHM Cisco World ,

Let me try this today.

Thanks again !