EVPN feature is currently supported on X86 platforms only.
Ethernet Virtual Private Network or EVPN is a technology designed to carry Layer 2 traffic over wide area network protocols. EVPN is a multi-tenant BGP-based control plane for layer-2 (bridging) and layer-3 (routing) VPNs. It’s the unifying L2+L3 equivalent of the traditional L3-only MPLS/VPN control plane. PICOS EVPN implementation leverages VXLAN technology as described in RFC7348.
VXLAN has been the predominant technology used in the enterprise and data center domains to achieve Layer 2 level scalability over an IP overlay backbone. VXLAN has become the technology of choice for separating the virtual network from underlying physical network and has greatly enhanced the network virtualization, easier network management and orchestration. VXLANs provides network segmentation but also helps solve the scalability issue normally associated with VLANs.
The following list describes the list of features that PiCOS BGP EVPN implementation supports.
- Exchange of VNI membership between VTEPs using EVPN type 3 routes.
- Exchange of host MAC and IP addresses using EVPN type 2 routes.
- Exchange of MAC Mobility Extended Community to support host/VM mobility.
- Dual attached host via VXLAN active-active mode. MAC synchronization between switches is achieved via MLAG.
- Inter Subnet routing for IPv4. Distributed symmetric and asymmetric routing between different subnets and centralized routing.
- Prefix-based routing using EVPN type-5 routes (EVPN IP prefix route).
- Multi-tenancy over layer 3.
Both eBGP and iBGP peerings can be used for the EVPN address family.
- ARP/ND suppression does not suppress RA/RS packets.
- When configuring ARP/ND suppression, do not forget to configure the L3 VLAN interface corresponding to the VNI ID associated by VLAN ID.
In MP-BGP EVPN networks, in order to suppress network storms caused by ARP/ND broadcast message flooding, ARP/ND suppression function can be enabled on VTEP devices to reduce network traffic.
In BGP EVPN networks, VTEPs have the ability to learn both local and remote hosts. When a VTEP learns about a local host from Gratuitous ARP or Reverse ARP, the VTEP will locally record the hosts’ MAC and IP address in an ARP Cache Table for that particular VNI. This host MAC and IP address will be shared with remote VTEPs within the same VNI using MP-BGP EVPN Type-2 routes.
When an ARP request broadcast message is received from a host, the local VTEP device with ARP suppression enabled, will actively intercept the message, search the corresponding destination MAC in the VXLAN ARP Cache table, and reply to the ARP message on behalf of the destination host to prevent flooding the entire VXLAN network VNI.
ARP and ND suppression use the same mechanism hence ND suppression is not discussed here.
By default, the ARP/ND suppression function is disabled. Users can use the following command to enable ARP/ND suppression function on VTEP devices.
set vxlans vni <vni-id> arp-nd-suppress disable <true | false>
ARP/ND suppression can be enabled on L2 VNI and works only on ARP/ND broadcast messages in the corresponding VNI enabled with this function.
Anycast Gateway for EVPN Distributed Networks
In a data center or campus networks, it is often necessary to implement a seamless migration of virtual machines (VMs) without changing network settings or disrupting the traffic forwarding. Virtual machine migration is just like changing the location of a MAC address in the network. Network infrastructure devices such as switches need to be aware of this change to refresh their forwarding table entries in time to ensure that traffic forwarding is not interrupted.
In EVPN distributed networks, users can configure the same anycast gateway IP and the same virtual MAC (router MAC) on all distributed gateways to enable the anycast gateway function. And also, configure the same IP default gateway address on all hosts or VMS. After that, irrespective of which VTEP the host connected to, as long as they are within the same VNI, they can always use their connected VTEPs as the default gateway to send and receive traffic. Since all hosts within a VLAN are configured with the same IP default gateway address, all hosts or VMs can be easily moved throughout the data center without changing their configuration. This provides flexible VM mobility between different distributed gateways in the network.
The following commands can be used to configure the anycast gateway IP and virtual MAC (router MAC).
set l3-interface vlan-interface <vlan-interface-name> address <address> prefix-length <number>
set l3-interface vlan-interface <vlan-interface-name> router-mac <macaddr>
For example, as shown in the following simplified EVPN topology, the gateways of the attached servers are on the leaf VTEP switches. Since Server A and Server C are in the same subnet (VLAN: 10/VNI:10010), they should have the same gateway configuration (e.g, gateway IP 10.10.10.1 and gateway MAC 00:00:10:00:00:FE). If Server A moves from Leaf 1 to Leaf 2, the gateway IP configured on Server A doesn’t need to be changed. Similarly, Server B and Server D do not need to change their gateway IP and MAC addresses.
When configuring, all VTEPs in the same VNI are required to configure the same anycast gateway IP and virtual MAC.
The example commands below configure anycast gateway on VTEP1 and VTEP2.
- Anycast gateway can be applied to VTEPs only in the same VLAN/VNI. For example, it is not supported to apply the same anycast gateway within VLAN 10 and VLAN 20 in above case, different gateway configurations for Server A and Server D are required.
- Anycast gateway is mutually exclusive with EVPN advertise-default-gw or advertise-svi-ip configuration when in the EVPN distributed gateway scenario, they cannot be configured at the same time.
set protocols bgp [vrf <vrf-name>] evpn advertise-default-gw
set protocols bgp evpn vni <vni> advertise-svi-ip
EVPN Multi-homing Scenarios
Since PicOS does not support BGP EVPN routing Type-1 and Type-4 for the time being, users need to deploy both VRRP and MLAG on the distributed gateways to achieve EVPN multi-homing access.
As VRRP devices can automatically generate virtual MACs based on VRRP ID, there is no need to configure anycast gateway router MAC. However, VRRP ID and VRRP virtual IP needs to be configured identically on all VTEPs. Note that: This is also available to the scenario where both multi-homing and single-homing access existing in the same networks. The same VRRP ID and VRRP virtual IP should be configured on all the multi-homing and single-homing anycast gateways.