• VXLAN Configuration check using “show vxlan config-sanity”

 
 
Print Friendly, PDF & Email

Introduction

Starting with EOS 4.22.0F, the show vxlan config-sanity command can be used to highlight various common errors in a VxLAN setup. This command is platform-independent.

CLI Details

switch# show vxlan config-sanity [ options ]

VXLAN Config Sanity CLI has the following options.

# show vxlan config-sanity (displays details for only FAIL and WARN checks)
# show vxlan config-sanity brief (displays a brief output for FAIL and WARN checks)
# show vxlan config-sanity detail (displays details for all checks)

RESULT column may have one of these three entries: 

  1. The status “OK”  indicates a good configuration
  2. Status “FAIL” indicates a misconfiguration
  3. Status “WARN” indicates potential misconfiguration which might result in failure.

Verification

There are five main categories of verification

Local VTEP Configuration Check

  • Loopback IP Address
  • VLAN-VNI Map
  • Flood List
  • Routing

Remote VTEP Configuration Check

  •   Remote VTEP reachability

Platform Dependent Check

  •   VXLAN Bridging considerations                                                       
  •   VXLAN Routing considerations 

CVX Configuration Check

  •   CVX configuration and reachability checks   

MLAG Configuration Check   

  •   Peer VTEP IP                                                             
  •   MLAG VTEP IP                                                             
  •   Peer VLAN-VNI       
  •   Peer Flood List                       
  •   Virtual VTEP IP                    

Following is a detailed description of these categories: 

Local VTEP Configuration Check

This section checks for configuration mistakes on the local VTEP. 

  • Loopback IP Address: If the Loopback IP Address is not configured under “interface Vxlan 1”
category                            result  detail                                    
---------------------------------- -------- ----------------------------------------- 
Local VTEP Configuration Check       FAIL                                             
  Loopback IP Address                FAIL   Source interface for Vxlan1 not configured
  • VLAN-VNI Map: If the VLAN-VNI Map is incorrectly configured, eg VLAN 20 which does not exist in the VLAN database has been mapped to VNI 10020. For example:
category                            result  detail                                    
---------------------------------- -------- ----------------------------------------- 
Local VTEP Configuration Check       WARN                                      
  VLAN-VNI Map                       WARN   VLAN 20 does not exist 
  • Verify VLAN-VNI Mappings with CVX: This output shows a warning when the CLI configured VLAN-VNI mapping has inconsistency with CVX’s mapping. Example:

If CLI configuration is VLAN 10 —> VNI 10010, but VLAN 10 -> VNI 10020 is received from CVX. 

category                            result  detail                             
---------------------------------- -------- ----------------------------------
Local VTEP configuration check     WARN
  VLAN-VNI Map, VLAN 10            WARN     dynamic VLAN 10 conflict

If VNI conflict exists, ie VLAN 10 —> VNI 10010, but VLAN 20 -> VNI 10010 is received from CVX.

category                            result  detail                             
---------------------------------- -------- ----------------------------------
Local VTEP configuration check     WARN
  VLAN-VNI Map, VLAN 20            WARN     dynamic VNI 20 conflict
  • Flood List: Here we check for the configuration of remote VTEPs in the flood list. A couple of examples of why this check could fail:

1. Flood list check fails when the switch does not have any flood list configured:

category                            result  detail                             
---------------------------------- -------- ---------------------------------- 
Local VTEP Configuration Check       FAIL                                      
  Flood List                         FAIL   No flood list configured

2. If the flood list only contains local VTEP IP, the following failure is shown.

category                            result  detail                             
---------------------------------- -------- ---------------------------------- 
Local VTEP Configuration Check       FAIL                                      
  Flood List                         FAIL   No remote VTEP in VLAN 10

3. Flood list check fails when no VLAN-VNI mappings exist

category                            result  detail                             
---------------------------------- -------- ---------------------------------- 
Local VTEP Configuration Check       FAIL                                      
  Flood List                         FAIL   No VXLAN VLANs in Vxlan1 

4. If flood list has not been received yet from CVX server: 

category                            result  detail                             
---------------------------------- -------- ---------------------------------- 
Local VTEP Configuration Check       WARN                                      
  Flood List                         WARN   No flood list configured from CVX  
  • Routing: If a routing configuration is detected i.e an overlay SVI has a virtual IP configured or a virtual VTEP IP is detected, the VTEP itself must have a virtual VTEP IP and a virtual MAC configured. The following failure appears when these two items are not configured.                                                                
category                            result  detail                             
---------------------------------- -------- ----------------------------------
Local VTEP configuration check     FAIL
 Routing                          FAIL     Virtual MAC is not configured
 Routing                          FAIL     Virtual VTEP IP is not configured

You can refer to the below TOI for more detailed info regarding the need for vVTEP IP in particular scenarios and the problems address by it:

https://eos.arista.com/virtual-ips-in-vxlan-and-need-for-vvtep/ 

Remote VTEP Configuration Check

  • Remote VTEP: This is a reachability check for remote VTEPs.For example, if a remote VTEPs 2.2.2.2 is configured in the flood list OR learned via CVX, but the local VTEP has no routes to this remote VTEP.  
category                            result  detail                             
---------------------------------- -------- ---------------------------------- 
Remote VTEP Configuration Check      FAIL                                      
  Remote VTEP                        FAIL   No route to 2.2.2.2

Platform Dependent Check

This category deals with platform-specific VXLAN configurations. It shows VXLAN features that are platform-dependent and whether the user has configured specific commands needed for VXLAN to work properly.

  • VXLAN Bridging: When a platform doesn’t support VXLAN bridging. Example:       
category                            result  detail                             
---------------------------------- -------- ---------------------------------- 
Platform Dependent Check           OK
  VXLAN Bridging                   OK       VXLAN Bridging not supported
  • VXLAN Routing: When a platform doesn’t support VXLAN Routing.Example:
category                            result  detail                             
---------------------------------- -------- ---------------------------------- 
Platform Dependent Check           OK
  VXLAN Routing                    OK       VXLAN Routing not supported

Please refer to https://www.arista.com/en/support/product-documentation/supported-features  to check which platforms support certain features. 

  • VXLAN Routing is not yet enabled: For platforms that support VXLAN Routing, but VXLAN Routing is not yet enabled ( ie no IPs assigned to SVIs). This is an informational log and can be ignored. Example:
category                            result  detail                             
---------------------------------- -------- ---------------------------------- 
Platform Dependent Check           OK
 VXLAN Routing                     OK    VXLAN Routing not enabled          

When VXLAN routing is supported and configured, the following checks are performed.

  • Recirc-channel configuration: On Platforms 7050X, 7060CX, and 7260QX (except 7050X2,7260CX-64 ,7300X) series switches, a recirculation channel is required to be created in order to perform the VxLAN routing. Please refer https://eos.arista.com/eos-4-15-2f/vxlan-routing/ for more information on recirculation.
category                            result  detail                             
---------------------------------- -------- ---------------------------------- 
Platform configuration check       OK
  Recirc-channel configuration     OK       No recirc-channel is configured
  • TCAM profile not configured: On platforms 7280E, 7280R and 7500R, VXLAN routing specific TCAM profile must be configured using “hardware tcam profile vxlan-routing” in order to achieve VxLAN routing.
category                            result  detail                             
---------------------------------- -------- ---------------------------------- 
Platform configuration check       FAIL
  TCAM profile configuration       FAIL     TCAM profile not configured

CVX Configuration Check

  • CVX Server: This will check for configuration issues with respect to the CVX server. If the CVX server IP wich is not configured or not reachable. Example 
category                            result  detail                             
---------------------------------- -------- ----------------------------------
CVX Configuration Check              FAIL                                      
  CVX Server                         FAIL   No leader Found 

Please refer https://www.arista.com/en/um-eos/eos-cloudvision-exchange-cvx#unique_308501120 for CVX configuration steps

MLAG Configuration Check 

This section is similar to the MLAG config-sanity check. Please refer https://eos.arista.com/eos-4-15-2f/mlag-config-check/ for more information on MLAG config sanity. 

To pass this check, VTEP configurations must be identical across MLAG pairs. 

  • Peer VTEP IP: This will check if VTEP IPs configured on the MLAG peers are identical.
category                            result  detail                             
---------------------------------- -------- ----------------------------------
MLAG configuration check           FAIL
 VTEP IP                          FAIL     VTEP IPs not identical
  • MLAG VTEP IP: This will check for the MLAG VTEP IP to be the same on both the peers.
category                            result  detail                             
---------------------------------- -------- ----------------------------------
MLAG Configuration Check             FAIL                                      
 MLAG VTEP IP                       FAIL   Peer has different MLAG VTEP IP    

Note: Please refer https://eos.arista.com/eos-4-21-3f/multi-vtep-mlag/ for more information on MLAG VTEP IP

  • Peer VLAN-VNI: This will check if VLAN-VNI mapping configured on the MLAG peers are identical.
category                            result  detail                             
---------------------------------- -------- ----------------------------------
MLAG configuration check           FAIL
  VLAN-VNI Map                     FAIL     VLAN-VNI maps not identical
  • Peer Flood List: This will check if flood lists configured on the MLAG peers are identical.
category                            result  detail                             
---------------------------------- -------- ----------------------------------
MLAG configuration check           FAIL
  Flood list                       FAIL     Flood lists not identical
  • Virtual VTEP IP : This will check for the Virtual VTEP IP to be the same on both the peers.
category                            result  detail                             
---------------------------------- -------- ----------------------------------
MLAG Configuration Check             FAIL                                      
  Virtual VTEP IP                    FAIL   Peer vVTEP IP does not match

Please refer to the article https://eos.arista.com/virtual-ips-in-vxlan-and-need-for-vvtep/ for more information on vVTEP IP.

 

Post corrective measures should the issue still be seen, collect the below outputs and reach out to Arista TAC by sending an email to support@arista.com

CLI commands:
​show tech-support all | gzip > /mnt/flash/show-tech-$HOSTNAME-$(date +%m_%d.%H%M).log.gz 
bash sudo tar -cvf - /var/log/qt/ > /mnt/flash/qt-logs-$HOSTNAME-$(date +%m_%d.%H%M).tar.gz
Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: