GNS3 LAB Cisco : Nexus 9000v Control-plane based VxLAN BGP-EVPN Bridging Config and Verification.

I wrote few blogs on BGP EVPN and also on VxLAN earlier. My previous blogs were focused on IOS-XE and IOS-XR devices, recently I have started my Data Center journey and hence I wanted to do some labs on Nexus devices as well and what better place than GNS3 for this ? I got to know that the Nexus9000v Switch is available for GNS3, setup was very quick and it has been working like a charm since day one. I have done few labs so far on Nexus9000v and one of them you can find here : GNS3 Cisco LAB : Nexus 9000v NxOS VxLAN Lab and concept. Please go through the blog to refresh your VxLAN understanding to build the foundation for this blog.

Let me quickly start with the configuration example. If you are looking for some basics explained about EVPN please check below blogs.

EVPN Single home : GNS3 LAB Cisco : BGP-EVPN Single Home Configuration

EVPN Multihome : GNS3 Lab Cisco : EVPN Multihome Concept and Configurations

EVPN IRB :GNS3 LAB Cisco : EVPN (BGP/MPLS) IRB (integrated routing and bridging) Configuration and Verification.

Network Diag.

Configurations:

Leaf-1:

nv overlay evpn
feature ospf
feature bgp
feature vn-segment-vlan-based
feature nv overlay
!
ip igmp snooping vxlan
vlan 1,10
vlan 10
  vn-segment 1000
!
interface nve1
  no shutdown
  host-reachability protocol bgp
  source-interface loopback1
  member vni 1000
    suppress-arp
    mcast-group 239.0.0.1
!
interface Ethernet1/1
  ip address 10.10.10.1/30
  ip router ospf 1 area 0.0.0.0
  no shutdown
!
interface Ethernet1/2
  ip address 10.10.10.5/30
  ip router ospf 1 area 0.0.0.0
  no shutdown
!
interface Ethernet1/3
  switchport
  switchport access vlan 10
  no shutdown
!
interface loopback1
  ip address 1.1.1.1/32
  ip router ospf 1 area 0.0.0.0
!
router ospf 1
  router-id 1.1.1.1
!
router bgp 65000
  template peer iBGP-EVPN
    remote-as 65000
    update-source loopback1
    address-family l2vpn evpn
      send-community extended
  neighbor 2.2.2.2
    inherit peer iBGP-EVPN
  neighbor 3.3.3.3
    inherit peer iBGP-EVPN
!
evpn
  vni 1000 l2
    rd auto
    route-target import auto
    route-target export auto
!

Leaf-2:

nv overlay evpn
feature ospf
feature bgp
feature vn-segment-vlan-based
feature nv overlay
!
ip igmp snooping vxlan
vlan 1,10
vlan 10
  vn-segment 1000
!
interface nve1
  no shutdown
  host-reachability protocol bgp
  source-interface loopback1
  member vni 1000
    suppress-arp
    mcast-group 239.0.0.1
!
interface Ethernet1/1
  ip address 10.10.10.10/30
  ip router ospf 1 area 0.0.0.0
  no shutdown
!
interface Ethernet1/2
  ip address 10.10.10.14/30
  ip router ospf 1 area 0.0.0.0
  no shutdown
!
interface Ethernet1/3
  switchport
  switchport access vlan 10
  no shutdown
!
interface loopback1
  ip address 4.4.4.4/32
  ip router ospf 1 area 0.0.0.0
!
router ospf 1
  router-id 4.4.4.4
!
router bgp 65000
  template peer iBGP-EVPN
    remote-as 65000
    update-source loopback1
    address-family l2vpn evpn
      send-community extended
  neighbor 2.2.2.2
    inherit peer iBGP-EVPN
  neighbor 3.3.3.3
    inherit peer iBGP-EVPN
!
evpn
  vni 1000 l2
    rd auto
    route-target import auto
    route-target export auto
!

Spine-1

nv overlay evpn
feature ospf
feature bgp
feature vn-segment-vlan-based
feature nv overlay
!
interface Ethernet1/1
  ip address 10.10.10.2/30
  ip router ospf 1 area 0.0.0.0
  no shutdown

interface Ethernet1/2
  ip address 10.10.10.9/30
  ip router ospf 1 area 0.0.0.0
  no shutdown
!
interface loopback1
  ip address 2.2.2.2/32
  ip router ospf 1 area 0.0.0.0
!
router ospf 1
  router-id 2.2.2.2
!
router bgp 65000
  template peer iBGP-EVPN
    remote-as 65000
    update-source loopback1
    address-family l2vpn evpn
      send-community extended
      route-reflector-client
  neighbor 1.1.1.1
    inherit peer iBGP-EVPN
  neighbor 4.4.4.4
    inherit peer iBGP-EVPN
!

Spine-2

!
nv overlay evpn
feature ospf
feature bgp
feature vn-segment-vlan-based
feature nv overlay
!
interface Ethernet1/1
  ip address 10.10.10.6/30
  ip router ospf 1 area 0.0.0.0
  no shutdown
!
interface Ethernet1/2
  ip address 10.10.10.13/30
  ip router ospf 1 area 0.0.0.0
  no shutdown
!
interface loopback1
  ip address 3.3.3.3/32
  ip router ospf 1 area 0.0.0.0
!
router ospf 1
  router-id 3.3.3.3
!
router bgp 65000
  template peer iBGP-EVPN
    remote-as 65000
    update-source loopback1
    address-family l2vpn evpn
      send-community extended
      route-reflector-client
  neighbor 1.1.1.1
    inherit peer iBGP-EVPN
  neighbor 4.4.4.4
    inherit peer iBGP-EVPN
!

Verification:

In below outputs you should notice the EVPN session between the Leaf and the Spines. There is no direct session between the Leafs. All routers(in this case mac address) are reflected from the BGP route reflector.

Leaf-1# sh bgp l2vpn evpn summary
BGP summary information for VRF default, address family L2VPN EVPN
BGP router identifier 1.1.1.1, local AS number 65000
BGP table version is 10, L2VPN EVPN config peers 2, capable peers 2
6 network entries and 8 paths using 2280 bytes of memory
BGP attribute entries [5/1600], BGP AS path entries [0/0]
BGP community entries [0/0], BGP clusterlist entries [2/8]

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
2.2.2.2         4 65000      25      23       10    0    0 00:17:48 2
3.3.3.3         4 65000      25      23       10    0    0 00:17:45 2
Leaf-1# sh bgp l2vpn evpn
BGP routing table information for VRF default, address family L2VPN EVPN
BGP table version is 10, Local Router ID is 1.1.1.1
Status: s-suppressed, x-deleted, S-stale, d-dampened, h-history, *-valid, >-best
Path type: i-internal, e-external, c-confed, l-local, a-aggregate, r-redist, I-i
njected
Origin codes: i - IGP, e - EGP, ? - incomplete, | - multipath, & - backup, 2 - b
est2

   Network            Next Hop            Metric     LocPrf     Weight Path
Route Distinguisher: 1.1.1.1:32777    (L2VNI 1000)
*>l[2]:[0]:[0]:[48]:[0050.7966.6800]:[0]:[0.0.0.0]/216
                      1.1.1.1                           100      32768 i
*>i[2]:[0]:[0]:[48]:[0050.7966.6801]:[0]:[0.0.0.0]/216
                      4.4.4.4                           100          0 i
*>l[2]:[0]:[0]:[48]:[0050.7966.6800]:[32]:[192.168.10.1]/248
                      1.1.1.1                           100      32768 i
*>i[2]:[0]:[0]:[48]:[0050.7966.6801]:[32]:[192.168.10.2]/248
                      4.4.4.4                           100          0 i

Route Distinguisher: 4.4.4.4:32777
* i[2]:[0]:[0]:[48]:[0050.7966.6801]:[0]:[0.0.0.0]/216
                      4.4.4.4                           100          0 i
*>i                   4.4.4.4                           100          0 i
*>i[2]:[0]:[0]:[48]:[0050.7966.6801]:[32]:[192.168.10.2]/248
                      4.4.4.4                           100          0 i
* i                   4.4.4.4                           100          0 i

For ping I have two VPC hosts connected directly to both the Leaf switches in vlan10 ethernet1/3. There is no other way for these hosts to reach to each other.

End-to-End Ping Verification :

PC1> sh ip

NAME        : PC1[1]
IP/MASK     : 192.168.10.1/24
GATEWAY     : 255.255.255.0
DNS         :
MAC         : 00:50:79:66:68:00
LPORT       : 10072
RHOST:PORT  : 127.0.0.1:10073
MTU         : 1500

PC2> show ip

NAME        : PC2[1]
IP/MASK     : 192.168.10.2/24
GATEWAY     : 255.255.255.0
DNS         :
MAC         : 00:50:79:66:68:01
LPORT       : 10074
RHOST:PORT  : 127.0.0.1:10075
MTU         : 1500


PC1> ping 192.168.10.2

84 bytes from 192.168.10.2 icmp_seq=1 ttl=64 time=3.010 ms
84 bytes from 192.168.10.2 icmp_seq=2 ttl=64 time=3.436 ms
84 bytes from 192.168.10.2 icmp_seq=3 ttl=64 time=3.373 ms
84 bytes from 192.168.10.2 icmp_seq=4 ttl=64 time=3.304 ms
84 bytes from 192.168.10.2 icmp_seq=5 ttl=64 time=3.360 ms

PC1>

Important note for GNS3 users.

suppress arp command under the NVE interface is not taken until you have below additional commands added. This is important as without this you will not be able to make the end to end ping work.

int nve1
member vni 1000
suppress-arp

Warning: Please configure TCAM region for Ingress ARP-Ether ACL for ARP supression to work.

Command needed to make it work. 

hardware access-list tcam region racl 512
hardware access-list tcam region arp-ether 256 double-wide

Download Wireshark Captures!!

Leave a Reply