Posted on November 26, 2021 8:32 am
 |  Asked by Cao
 |  156 views
0
0
Print Friendly, PDF & Email

IN EOS:

vlan 515
name test1
!
vlan 608
name test2

interface Vlan515
vrf forwarding vrf_test
ip address virtual 1.1.1.1/24
!

interface Vxlan1
vxlan source-interface Loopback1
vxlan udp-port 4789
vxlan vlan 515 vni 111
vxlan vlan 608 vni 222
vxlan vrf vrf_test vni 1111

 

pls check config above,

1:vlan 608 is only a mac-vrf?

2:does it belong to any tenant?

3:vlan515 has ip-vrf(vrf_test) ?

4:does tenant vrf_test own mac-vrf vlan 515?

5: when we say tenant, do we mean ip-vrf only?

 

0
Posted by Massimo Magnani
Answered on November 26, 2021 8:45 am

Hi Cao!

Please find some replies below:

  1. According to your configuration, it looks like vlan 608 is configured at the top of the EOS CLI hierarchy. It means it's just a local VLAN, a bridge domain. If you want to create a mac-vrf, you must configure the "vlan 608" statement under "router bgp $AS_NUMBER" hierarchy, and under the "vlan 608" stanza you have to add the "usual suspects" (RD, route-target ext-community);
  2. See above. If you configure the vlan 608 under "router bgp" stanza, then it will become a layer 2 tenant, that is, a mac-vrf;
  3. If you add the statement "vrf $VRF_NAME" (vrf forwarding doesn't exist in EOS) under the interface VLAN, you basically move the IP interface out of the default RIB and put it under another one. In jargon, we say the interface belongs to ip-vrf $VRF_NAME and the device will use  that particular routing table to resolve routing for that VLAN;
  4. If you configure vlan 515 as a vlan (your config snippet is doing so), then you add a mac-vrf 515 under "router bgp" (see reply #1), then you assign an IP address to interface vlan515 and you put it inside an IP-VRF, you have create a routed solution, which means you have a tenant made of one mac-vrf and one ip-vrf. The "vlan" is the local stitching point between the layer2 and the layer3 contexts
  5. See reply 4. We can have layer 2 tenants (mac-vrf), layer3 tenants (ip-vrf) or layer2-3 tenants (mac-vrf + ip-vrf).

Hope this helps to clarify.

Ciao

Max.

0
Posted by Angel
Answered on November 27, 2021 5:59 pm

Hello Cao,

 

Thank you for reaching out to the forum.

What is the end goal here?

I will try to answer your questions as I best understood them.

1:vlan 608 is only a mac-vrf?

A Mac-vrf is what is configured under router bgp. From the configuration, vlan 608 is only an L2 vlan.
router bgp 65400
vlan 608
rd 172.22.244.22:1608
route-target both 1608:1608
redistribute learned

2:does it belong to any tenant?
From the configuration, it belongs to the default vrf.

Questions:3,4,5
A tenant is essentially a VRF.
The IP-VRF is : vxlan vrf vrf_test vni 1111

Vlan515 has its own vlan to vni mapping.
vxlan vlan 515 vni 111

We have an EVPN deployment guide which goes deeper into EVPN and has configuration examples:
https://www.arista.com/en/solutions/design-guides

0
Posted by Cao
Answered on November 29, 2021 5:14 am

Hi

thank you both

my goal is to understand whether one tenant can have both mac-vrf and ip-vrf

sorry, I miss to  configure the "vlan 608" and "vlan515" statement under "router bgp $AS_NUMBER" hierarchy

If  I put vlan 608 and 515 under router bgp AS_NUMBER" hierarchy

1: can we say tenant vrf_test have both ip-vrf(vrf_test) and mac-vrf(vlan515)?

But this name "vrf_test" is only created under "interface vlan 515" . how is it connect to a mac-vrf(vlan515)

0
Posted by Aniket Bhowmick
Answered on November 29, 2021 4:07 pm

Hi Cao

In a Vxlan EVPN fabric, you will have hosts that are part of multiple Vlans. A Vlan can be stretched in Vxlan between VTEPs by providing a common VNI so that hosts in same Vlan but in different VTEPs can communicate with each other.

A mac-vrf is just a L2-VRF that is associated with the Vlan which has the VNI. If any mac address or ARP is learnt in the L2VLAN in locally connected interfaces- the information will be shared to other VTEPs using EVPN Type-2 route. This happens only if the VLAN is defined in "router bgp" with correct configurations on different VTEPs (where the Vlan is stretched). Other VTEPs will see the host learnt on the Vxlan Tunnel interface (show vxlan address-table).

This type of model is also known as asymmetric IRB model (where the Vlans are stretched across different VTEPs)

IP-VRF: This is purely used to create a L3VPN Tunnel (similar to vpn-v4). A VLAN can have a SVI which will have an "ip address" and could be part of a L3 VRF (say vrf- red).

If you define the vrf (vrf-red) in router bgp and also provide a VNI mapping for the vrf-red, the router can advertise the subnets learnt in VRF (red) to other VTEPs- either locally connected or learnt from some CE (via BGP) or both.

Consider this scenario:

CE1----VTEP1------VTEP2-----CE2

^ Here CE1 is connected to Vlan100 (SVI-100, vrf red) and CE2 is connected to Vlan200 (SVI200, vrf-red). Using L3VPN Tunnel  you can advertise the routes learnt in VRF red (in VTEP-1) to VTEP-2 and vice versa. This is taken care by EVPN Type-5 routes. The above example is typically known as symmetric IRB model.

I would suggest going through the EVPN design guide where all these are explained in much more details:

https://www.arista.com/en/solutions/design-guides

Regards,
Aniket

0
Posted by Cao
Answered on November 30, 2021 1:13 am

Hi Aniket

Thank you for your detailed explanation .I know more about it now.

I am still confused by a simple question:

interface Vlan515
vrf forwarding vrf_test
ip address virtual 1.1.1.1/24
!

interface Vxlan1
vxlan source-interface Loopback1
vxlan udp-port 4789
vxlan vlan 515 vni 111
vxlan vrf vrf_test vni 1111

router bgp 60000
vlan 515
rd 172.22.244.22:1608
route-target both 1608:1608
redistribute learned

pls check the config

1: can we conside tenant vrf_test have both mac-vrf(vlan 515 l2vni 111) and ip-vrf(vrf vrf_test vni 1111)?

2: if so, why we name tenant vrf_test with the name of ip_vrf? It cause me to think mac_vrf doesn't belong to vrf_test...

0
Posted by Aniket Bhowmick
Answered on December 2, 2021 4:09 am

Hi Cao

You should not be mixing a Vlan (Vlan 515) with ip-vrf (vrf_test) as they have logically different role in forwarding a packet. A vlan is for mac-address lookup while ip-vrf is for route-lookup.

IP-VRF:

Generally a router may have only one logical routing table (known as the default vrf) which will have all the routes. But it can  be divided into multiple other routing tables (different namespace) and are known as ip-vrfs. So in this case, the subnet- 1.1.1.0/24 belongs to the logical routing-table named- "vrf_test". This should not be confused with a Vlan which is primarily used to do destination-mac lookup and forward the packet.

This subnet can be advertised in EVPN using Type-5 route and will only happen if the VRF is defined in router-bgp.

MAC-VRF:

A mac-vrf is just an evolution of ip-vrf so that BGP can generate certain routes (EVPN Type-2) to advertise mac-addresses and ARP in that Vlan. We refer to a Vlan as "mac-vrf" when the Vlan is defined in "router-bgp" with unique RD and RT. The concept of RD and RT has evolved from IP-VRF (here vrf_test is an IP-VRF ) and hence it is referred to as mac-vrf as a RD/RT has also been defined for the Vlan.

RD/RT is necessary to be configured in a mac-vrf (Vlan defined in router bgp) so that other VTEPs can import the EVPN Type-2 routes and install the mac-address in the correct Vlan (using the RT value).

To Summarise

In your case, the tenant (which could be some server connected downstream) is part of Vlan515 (Layer-2) and the Gateway for the tenant is 1.1.1.1/24 (Layer-3). So if the host has to send any packet in the same Vlan (515), it will send it to the VTEP and VTEP would "switch" the packet to the destination host (in same subnet). If the destination mac is learnt over Vxlan Tunnel, then the packet would be encapsulated.

But, if the host has to send a packet outside it's subnet (say- 2.2.2.2), then it has to first send it to it's gateway (which is 1.1.1.1) and then the router will perform a route-lookup in VRF: vrf_test and then route the packet to the destination host.

Regards,

Aniket

Post your Answer

You must be logged in to post an answer.