前書き
前回に引き続き、今回もトラフィックの論理分割の検証を行います。
今回は比較的新しい技術であるEVPN-VXLANを実装し、L2VPNを構築します。
環境
CMLをProxmoxVE上に立てて環境構築しています。
- CML2.7
次に各ノードの紹介です。
- Cataryst 9000v UADP ×4(以降cat9000v)
- CSR 1000v ×4(以降csr1000v)
構成図
今回はこんな感じです。
黄色が回線事業者想定で、青色がA社、赤色がB社としたときにA社とB社は互いにルーティングはできず、同じIPv4アドレスを重複して持っているというシナリオです。
EVPN-VXLANの中でもvlan based1の方式を使っているため、VLAN-VNI-EVIがすべて1つでまとまっています。この時点でL2VPNとしてのトラフィック分割は完結していますが、今回はIRBとしてcat9000v-uadp-3にSVIを設定し、VRFで分けています。VLAN-VNI-EVI-SVI-VRFがすべて1つにまとまっている状態となり、A社のルータはA社用のIRB宛にBGPピアを張ることでもう片方の拠点との経路交換を行っています。
IRBと記載したものの、今回のシナリオだとA社もB社もIRBを経由したルーティングがないため、単なるブリッジのみとなっています。(SVIを同一のVRFに組み込むことによって、お互いのVLAN同士でIRBを経由したルーティングが可能になります。)
また、前回の記事はL3VPNだったため、左側のルータと右側のルータでセグメントが変わりましたが、今回はL2VPNなので両端のルータのG1インターフェースをブリッジできればL2延伸も可能です。
回線事業者想定の黄色エリアはアンダーレイの経路交換にレベル1のIS-ISを利用し、シンプルな実装にしています。また、ループバックインターフェースからIPを借用することにより、装置間のセグメントへのIPv4アドレッシングを省略しました。
コンフィグ
予め、cat9000vの4台はライセンスのアドバンテージライセンス有効化済み2の前提です。
cat9000v-uadp-0
en
!
conf t
!
ip routing
!
vlan configuration 101
member evpn-instance 101 vni 10101
!
vlan configuration 201
member evpn-instance 201 vni 20202
!
interface Loopback0
ip address 11.11.11.11 255.255.255.255
ip router isis
!
interface GigabitEthernet1/0/1
switchport access vlan 101
switchport mode access
!
interface GigabitEthernet1/0/2
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/3
no switchport
ip unnumbered Loopback0
ip router isis
!
router isis
net 49.0001.0110.1101.1011.00
is-type level-1
!
router bgp 65001
bgp log-neighbor-changes
no bgp default ipv4-unicast
bgp router-id 11.11.11.11
neighbor 22.22.22.22 remote-as 65001
neighbor 22.22.22.22 update-source Loopback0
!
address-family ipv4
exit-address-family
!
address-family l2vpn evpn
neighbor 22.22.22.22 activate
neighbor 22.22.22.22 send-community both
exit-address-family
!
l2vpn evpn
replication-type ingress
!
l2vpn evpn instance 101 vlan-based
encapsulation vxlan
!
l2vpn evpn instance 201 vlan-based
encapsulation vxlan
!
interface nve1
no ip address
source-interface Loopback0
host-reachability protocol bgp
member vni 10101 ingress-replication
member vni 20202 ingress-replication
!
end
!cat9000v-uadp-1
en
!
conf t
!
ip routing
!
interface Loopback 0
ip address 22.22.22.22 255.255.255.255
ip router isis
!
interface GigabitEthernet 1/0/1
no switchport
ip unnumbered Loopback0
ip router isis
!
interface GigabitEthernet 1/0/3
no switchport
ip unnumbered Loopback0
ip router isis
!
interface GigabitEthernet 1/0/4
no switchport
ip unnumbered Loopback0
ip router isis
!
router isis
net 49.0001.0220.2202.2022.00
is-type level-1
!
router bgp 65001
template peer-policy POLICY
route-reflector-client
send-community extended
exit-peer-policy
!
template peer-session SESSION
remote-as 65001
update-source Loopback0
exit-peer-session
!
bgp router-id 22.22.22.22
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 11.11.11.11 inherit peer-session SESSION
neighbor 33.33.33.33 inherit peer-session SESSION
neighbor 44.44.44.44 inherit peer-session SESSION
!
address-family ipv4
exit-address-family
!
address-family l2vpn evpn
neighbor 11.11.11.11 activate
neighbor 11.11.11.11 inherit peer-policy POLICY
neighbor 33.33.33.33 activate
neighbor 33.33.33.33 inherit peer-policy POLICY
neighbor 44.44.44.44 activate
neighbor 44.44.44.44 inherit peer-policy POLICY
exit-address-family
!
end
!cat9000v-uadp-2
en
!
conf t
!
ip routing
!
vlan configuration 101
member evpn-instance 101 vni 10101
!
vlan configuration 201
member evpn-instance 201 vni 20202
!
interface Loopback 0
ip address 33.33.33.33 255.255.255.255
ip router isis
!
interface GigabitEthernet1/0/1
switchport access vlan 101
switchport mode access
!
interface GigabitEthernet1/0/2
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet 1/0/4
no switchport
ip unnumbered Loopback0
ip router isis
!
router isis
net 49.0001.0330.3303.3033.00
is-type level-1
!
router bgp 65001
bgp log-neighbor-changes
no bgp default ipv4-unicast
bgp router-id 33.33.33.33
neighbor 22.22.22.22 remote-as 65001
neighbor 22.22.22.22 update-source Loopback0
!
address-family ipv4
exit-address-family
!
address-family l2vpn evpn
neighbor 22.22.22.22 activate
neighbor 22.22.22.22 send-community both
exit-address-family
!
l2vpn evpn
replication-type ingress
!
l2vpn evpn instance 101 vlan-based
encapsulation vxlan
!
l2vpn evpn instance 201 vlan-based
encapsulation vxlan
!
interface nve1
no ip address
source-interface Loopback0
host-reachability protocol bgp
member vni 10101 ingress-replication
member vni 20202 ingress-replication
!
end
!cat9000v-uadp-3
en
!
conf t
!
ip routing
!
vlan configuration 101
member evpn-instance 101 vni 10101
!
vlan configuration 201
member evpn-instance 201 vni 20202
!
interface Loopback 0
ip address 44.44.44.44 255.255.255.255
ip router isis
!
interface GigabitEthernet 1/0/1
no switchport
ip unnumbered Loopback0
ip router isis
!
vrf definition IRB-101
rd 65002:1
address-family ipv4 unicast
!
vrf definition IRB-201
rd 65003:1
address-family ipv4 unicast
!
router isis
net 49.0001.0440.4404.4044.00
is-type level-1
!
router bgp 65001
!
bgp log-neighbor-changes
no bgp default ipv4-unicast
bgp router-id 44.44.44.44
neighbor 22.22.22.22 remote-as 65001
neighbor 22.22.22.22 update-source Loopback0
!
address-family ipv4
exit-address-family
!
address-family ipv4 vrf IRB-101
advertise l2vpn evpn
redistribute connected
redistribute static
neighbor 1.1.1.1 remote-as 65002
neighbor 1.1.1.2 remote-as 65002
neighbor 1.1.1.1 activate
neighbor 1.1.1.2 activate
exit-address-family
!
address-family ipv4 vrf IRB-201
advertise l2vpn evpn
redistribute connected
redistribute static
neighbor 2.2.2.1 remote-as 65003
neighbor 2.2.2.2 remote-as 65003
neighbor 2.2.2.1 activate
neighbor 2.2.2.2 activate
exit-address-family
!
address-family l2vpn evpn
neighbor 22.22.22.22 activate
neighbor 22.22.22.22 send-community both
exit-address-family
!
l2vpn evpn
replication-type ingress
default-gateway advertise
!
l2vpn evpn instance 101 vlan-based
encapsulation vxlan
!
l2vpn evpn instance 201 vlan-based
encapsulation vxlan
!
interface Vlan101
vrf forwarding IRB-101
ip address 1.1.1.254 255.255.255.0
no autostate
!
interface Vlan201
vrf forwarding IRB-201
ip address 2.2.2.254 255.255.255.0
no autostate
!
interface nve1
no ip address
source-interface Loopback0
host-reachability protocol bgp
member vni 10101 ingress-replication
member vni 20202 ingress-replication
!
end
!csr1000v-0
en
!
conf t
!
ip routing
!
interface Loopback 0
ip address 10.0.0.1 255.255.255.255
!
interface GigabitEthernet 1
ip address 1.1.1.1 255.255.255.0
no shutdown
!
router bgp 65002
neighbor 1.1.1.254 remote-as 65001
neighbor 1.1.1.254 allowas-in
no auto-summary
no synchronization
redistribute connected
!
end
!csr1000v-1
en
!
conf t
!
ip routing
!
interface Loopback 0
ip address 10.0.0.2 255.255.255.255
!
interface GigabitEthernet 1
ip address 2.2.2.1 255.255.255.0
no shutdown
!
router bgp 65003
neighbor 2.2.2.254 remote-as 65001
neighbor 2.2.2.254 allowas-in
no auto-summary
no synchronization
redistribute connected
!
end
!csr1000v-2
en
!
conf t
!
ip routing
!
interface Loopback 0
ip address 10.0.0.3 255.255.255.255
!
interface GigabitEthernet 1
ip address 1.1.1.2 255.255.255.0
no shutdown
!
router bgp 65002
neighbor 1.1.1.254 remote-as 65001
neighbor 1.1.1.254 allowas-in
no auto-summary
no synchronization
redistribute connected
!
end
!csr1000v-3
en
!
conf t
!
ip routing
!
interface Loopback 0
ip address 10.0.0.4 255.255.255.255
!
interface GigabitEthernet 1
ip address 2.2.2.2 255.255.255.0
no shutdown
!
router bgp 65003
neighbor 2.2.2.254 remote-as 65001
neighbor 2.2.2.254 allowas-in
no auto-summary
no synchronization
redistribute connected
!
end
!showコマンド結果
show bgp l2vpn evpn summary
cat9000v-uadp-0
inserthostname-here#show bgp l2vpn evpn summary
BGP router identifier 11.11.11.11, local AS number 65001
BGP table version is 150, main routing table version 150
43 network entries using 16512 bytes of memory
43 path entries using 9976 bytes of memory
12/12 BGP path/bestpath attribute entries using 3552 bytes of memory
2 BGP rrinfo entries using 80 bytes of memory
4 BGP extended community entries using 160 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 30280 total bytes of memory
BGP activity 92/49 prefixes, 96/53 paths, scan interval 60 secs
43 networks peaked at 10:00:55 Jan 2 2025 UTC (04:38:36.052 ago)
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
22.22.22.22 4 65001 426 383 150 0 0 05:32:07 16cat9000v-uadp-1
inserthostname-here#show bgp l2vpn evpn summary
BGP router identifier 22.22.22.22, local AS number 65001
BGP table version is 113, main routing table version 113
32 network entries using 12288 bytes of memory
32 path entries using 7424 bytes of memory
13/13 BGP path/bestpath attribute entries using 3848 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
4 BGP extended community entries using 160 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 23768 total bytes of memory
BGP activity 67/34 prefixes, 72/40 paths, scan interval 60 secs
33 networks peaked at 10:02:00 Jan 2 2025 UTC (04:41:38.187 ago)
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
11.11.11.11 4 65001 387 432 113 0 0 05:36:14 11
33.33.33.33 4 65001 387 431 113 0 0 05:36:28 11
44.44.44.44 4 65001 337 371 113 0 0 04:51:11 10cat9000v-uadp-2
inserthostname-here#show bgp l2vpn evpn summary
BGP router identifier 33.33.33.33, local AS number 65001
BGP table version is 150, main routing table version 150
41 network entries using 15744 bytes of memory
41 path entries using 9512 bytes of memory
12/12 BGP path/bestpath attribute entries using 3552 bytes of memory
2 BGP rrinfo entries using 80 bytes of memory
4 BGP extended community entries using 160 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 29048 total bytes of memory
BGP activity 87/45 prefixes, 95/54 paths, scan interval 60 secs
42 networks peaked at 10:00:55 Jan 2 2025 UTC (04:43:04.265 ago)
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
22.22.22.22 4 65001 431 387 150 0 0 05:36:49 15cat9000v-uadp-3
inserthostname-here#show bgp l2vpn evpn summary
BGP router identifier 44.44.44.44, local AS number 65001
BGP table version is 145, main routing table version 145
54 network entries using 20736 bytes of memory
58 path entries using 13456 bytes of memory
13/13 BGP path/bestpath attribute entries using 3848 bytes of memory
2 BGP rrinfo entries using 80 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
4 BGP extended community entries using 160 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 38328 total bytes of memory
BGP activity 101/39 prefixes, 117/49 paths, scan interval 60 secs
56 networks peaked at 10:02:00 Jan 2 2025 UTC (04:42:18.083 ago)
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
22.22.22.22 4 65001 371 338 145 0 0 04:51:51 22show l2route evpn mac ip
cat9000v-uadp-0
inserthostname-here#show l2route evpn mac ip
EVI ETag Prod Mac Address Host IP Next Hop(s)
----- ---------- ----- -------------- --------------------------------------- --------------------------------------------------
101 0 BGP 5254.000a.7386 1.1.1.2 V:10101 33.33.33.33
101 0 L2VPN 5254.0010.63c2 1.1.1.1 Gi1/0/1:101
101 0 BGP 5254.0016.7b13 FE80::5054:FF:FE16:7B13 V:10101 33.33.33.33
101 0 BGP 5254.0018.0f0a 1.1.1.254 V:10101 44.44.44.44
101 0 L2VPN 5254.001d.7fc1 FE80::5054:FF:FE1D:7FC1 Gi1/0/1:101
201 0 L2VPN 5254.000b.91d1 1.1.1.1 Gi1/0/2:201
201 0 BGP 5254.0018.0f15 1.1.1.254 V:20202 44.44.44.44
201 0 BGP 5254.001b.ad0d 1.1.1.2 V:20202 33.33.33.33
201 0 L2VPN 5254.001f.aa82 FE80::5054:FF:FE1F:AA82 Gi1/0/2:201cat9000v-uadp-1
中継ルータのため表示なし
inserthostname-here#show l2route evpn mac ip
EVI ETag Prod Mac Address Host IP Next Hop(s)
----- ---------- ----- -------------- --------------------------------------- --------------------------------------------------cat9000v-uadp-2
inserthostname-here#show l2route evpn mac ip
EVI ETag Prod Mac Address Host IP Next Hop(s)
----- ---------- ----- -------------- --------------------------------------- --------------------------------------------------
101 0 L2VPN 5254.000a.7386 1.1.1.2 Gi1/0/1:101
101 0 BGP 5254.0010.63c2 1.1.1.1 V:10101 11.11.11.11
101 0 BGP 5254.0018.0f0a 1.1.1.254 V:10101 44.44.44.44
101 0 BGP 5254.001d.7fc1 FE80::5054:FF:FE1D:7FC1 V:10101 11.11.11.11
201 0 BGP 5254.000b.91d1 1.1.1.1 V:20202 11.11.11.11
201 0 BGP 5254.0018.0f15 1.1.1.254 V:20202 44.44.44.44
201 0 L2VPN 5254.001b.ad0d 1.1.1.2 Gi1/0/2:201
201 0 BGP 5254.001f.aa82 FE80::5054:FF:FE1F:AA82 V:20202 11.11.11.11cat9000v-uadp-3
inserthostname-here#show l2route evpn mac ip
EVI ETag Prod Mac Address Host IP Next Hop(s)
----- ---------- ----- -------------- --------------------------------------- --------------------------------------------------
101 0 BGP 5254.000a.7386 1.1.1.2 V:10101 33.33.33.33
101 0 BGP 5254.0010.63c2 1.1.1.1 V:10101 11.11.11.11
101 0 L2VPN 5254.0018.0f0a 1.1.1.254 Vl101:0
101 0 BGP 5254.001d.7fc1 FE80::5054:FF:FE1D:7FC1 V:10101 11.11.11.11
201 0 BGP 5254.000b.91d1 1.1.1.1 V:20202 11.11.11.11
201 0 L2VPN 5254.0018.0f15 1.1.1.254 Vl201:0
201 0 BGP 5254.001b.ad0d 1.1.1.2 V:20202 33.33.33.33
201 0 BGP 5254.001f.aa82 FE80::5054:FF:FE1F:AA82 V:20202 11.11.11.11show l2vpn evpn default-gateway detail
cat9000v-uadp-0
inserthostname-here#show l2vpn evpn default-gateway detail
Default Gateway Address: 1.1.1.254
EVPN Instance: 101
Vlan: 101
MAC Address: 5254.0018.0f0a
Ethernet Tag ID: 0
Source: V:10101 44.44.44.44
Default Gateway Address: 1.1.1.254
EVPN Instance: 201
Vlan: 201
MAC Address: 5254.0018.0f15
Ethernet Tag ID: 0
Source: V:20202 44.44.44.44cat9000v-uadp-1
中継ルータのため表示なし
inserthostname-here#show l2vpn evpn default-gateway detailcat9000v-uadp-2
inserthostname-here#show l2vpn evpn default-gateway detail
Default Gateway Address: 1.1.1.254
EVPN Instance: 101
Vlan: 101
MAC Address: 5254.0018.0f0a
Ethernet Tag ID: 0
Source: V:10101 44.44.44.44
Default Gateway Address: 1.1.1.254
EVPN Instance: 201
Vlan: 201
MAC Address: 5254.0018.0f15
Ethernet Tag ID: 0
Source: V:20202 44.44.44.44cat9000v-uadp-3
inserthostname-here#show l2vpn evpn default-gateway detail
Default Gateway Address: 1.1.1.254
EVPN Instance: 101
Vlan: 101
MAC Address: 5254.0018.0f0a
Ethernet Tag ID: 0
Source: V:10101 Vlan101
Default Gateway Address: 1.1.1.254
EVPN Instance: 201
Vlan: 201
MAC Address: 5254.0018.0f15
Ethernet Tag ID: 0
Source: V:20202 Vlan201show ip route
cat9000v-uadp-0
inserthostname-here#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is not set
11.0.0.0/32 is subnetted, 1 subnets
C 11.11.11.11 is directly connected, Loopback0
22.0.0.0/32 is subnetted, 1 subnets
i L1 22.22.22.22 [115/20] via 22.22.22.22, 05:51:06, GigabitEthernet1/0/3
33.0.0.0/32 is subnetted, 1 subnets
i L1 33.33.33.33 [115/30] via 22.22.22.22, 05:51:05, GigabitEthernet1/0/3
44.0.0.0/32 is subnetted, 1 subnets
i L1 44.44.44.44 [115/30] via 22.22.22.22, 05:06:00, GigabitEthernet1/0/3cat9000v-uadp-1
inserthostname-here#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is not set
11.0.0.0/32 is subnetted, 1 subnets
i L1 11.11.11.11 [115/20] via 11.11.11.11, 05:55:06, GigabitEthernet1/0/3
22.0.0.0/32 is subnetted, 1 subnets
C 22.22.22.22 is directly connected, Loopback0
33.0.0.0/32 is subnetted, 1 subnets
i L1 33.33.33.33 [115/20] via 33.33.33.33, 05:55:15, GigabitEthernet1/0/4
44.0.0.0/32 is subnetted, 1 subnets
i L1 44.44.44.44 [115/20] via 44.44.44.44, 05:09:56, GigabitEthernet1/0/1cat9000v-uadp-2
inserthostname-here#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is not set
11.0.0.0/32 is subnetted, 1 subnets
i L1 11.11.11.11 [115/30] via 22.22.22.22, 05:55:25, GigabitEthernet1/0/4
22.0.0.0/32 is subnetted, 1 subnets
i L1 22.22.22.22 [115/20] via 22.22.22.22, 05:55:34, GigabitEthernet1/0/4
33.0.0.0/32 is subnetted, 1 subnets
C 33.33.33.33 is directly connected, Loopback0
44.0.0.0/32 is subnetted, 1 subnets
i L1 44.44.44.44 [115/30] via 22.22.22.22, 05:10:15, GigabitEthernet1/0/4cat9000v-uadp-3
inserthostname-here#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is not set
11.0.0.0/32 is subnetted, 1 subnets
i L1 11.11.11.11 [115/30] via 22.22.22.22, 05:10:37, GigabitEthernet1/0/1
22.0.0.0/32 is subnetted, 1 subnets
i L1 22.22.22.22 [115/20] via 22.22.22.22, 05:10:42, GigabitEthernet1/0/1
33.0.0.0/32 is subnetted, 1 subnets
i L1 33.33.33.33 [115/30] via 22.22.22.22, 05:10:35, GigabitEthernet1/0/1
44.0.0.0/32 is subnetted, 1 subnets
C 44.44.44.44 is directly connected, Loopback0csr1000v-0
inserthostname-here#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is not set
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/24 is directly connected, GigabitEthernet1
L 1.1.1.1/32 is directly connected, GigabitEthernet1
10.0.0.0/32 is subnetted, 2 subnets
C 10.0.0.1 is directly connected, Loopback0
B 10.0.0.2 [20/0] via 1.1.1.2, 05:01:28csr1000v-1
inserthostname-here#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is not set
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/24 is directly connected, GigabitEthernet1
L 1.1.1.1/32 is directly connected, GigabitEthernet1
10.0.0.0/32 is subnetted, 2 subnets
C 10.0.0.1 is directly connected, Loopback0
B 10.0.0.2 [20/0] via 1.1.1.2, 05:08:46csr1000v-2
inserthostname-here#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is not set
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/24 is directly connected, GigabitEthernet1
L 1.1.1.2/32 is directly connected, GigabitEthernet1
10.0.0.0/32 is subnetted, 2 subnets
B 10.0.0.1 [20/0] via 1.1.1.1, 05:01:59
C 10.0.0.2 is directly connected, Loopback0csr1000v-3
inserthostname-here#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is not set
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/24 is directly connected, GigabitEthernet1
L 1.1.1.2/32 is directly connected, GigabitEthernet1
10.0.0.0/32 is subnetted, 2 subnets
B 10.0.0.1 [20/0] via 1.1.1.1, 05:08:58
C 10.0.0.2 is directly connected, Loopback0疎通確認
ping
csr1000v-0
inserthostname-here#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
inserthostname-here#ping 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 109/110/112 ms
inserthostname-here#ping 1.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 89/92/103 ms
inserthostname-here#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
inserthostname-here#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 107/117/137 mscsr1000v-1
inserthostname-here#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
inserthostname-here#ping 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 107/115/121 ms
inserthostname-here#ping 1.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 99/103/112 ms
inserthostname-here#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
inserthostname-here#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 102/112/122 mscsr1000v-2
inserthostname-here#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 103/125/144 ms
inserthostname-here#ping 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/6 ms
inserthostname-here#ping 1.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 91/104/115 ms
inserthostname-here#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 101/109/115 ms
inserthostname-here#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 mscsr1000v-3
inserthostname-here#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 112/118/139 ms
inserthostname-here#ping 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
inserthostname-here#ping 1.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/101/103 ms
inserthostname-here#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 106/117/126 ms
inserthostname-here#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 mstraceroute
csr1000v-0
inserthostname-here#traceroute 10.0.0.2
Type escape sequence to abort.
Tracing the route to 10.0.0.2
VRF info: (vrf in name/id, vrf out name/id)
1 1.1.1.2 79 msec 86 msec *csr1000v-1
inserthostname-here#traceroute 10.0.0.2
Type escape sequence to abort.
Tracing the route to 10.0.0.2
VRF info: (vrf in name/id, vrf out name/id)
1 1.1.1.2 127 msec 123 msec *csr1000v-2
inserthostname-here#traceroute 10.0.0.1
Type escape sequence to abort.
Tracing the route to 10.0.0.1
VRF info: (vrf in name/id, vrf out name/id)
1 1.1.1.1 146 msec 106 msec * csr1000v-3
inserthostname-here#traceroute 10.0.0.1
Type escape sequence to abort.
Tracing the route to 10.0.0.1
VRF info: (vrf in name/id, vrf out name/id)
1 1.1.1.1 144 msec 88 msec *パケットキャプチャ
tracerouteではどのルートを通っているのかがわからないため、今回はそれぞれの機器から対向のループバックアドレスにpingを送った際のパケットキャプチャも取得しました。
csr1000v-0
csr1000v-0とcat9000v-uadp-0の間
csr1000v-2とcat9000v-uadp-2の間
csr1000v-1
csr1000v-1とcat9000v-uadp-0の間
csr1000v-3とcat9000v-uadp-2の間
csr1000v-2
csr1000v-0とcat9000v-uadp-0の間
csr1000v-2とcat9000v-uadp-2の間
csr1000v-3
csr1000v-1とcat9000v-uadp-0の間
csr1000v-3とcat9000v-uadp-2の間
課題点
- 各VLANのデフォルトゲートウェイがIRBに向くようにEVPNピアで広告されていることは確認できたものの、これをA社やB社側のルータにどのように広告するのかがわかっていない。(A社側の機器にデフォルトゲートウェイはIRBだとBGPで広告したい)
- VLAN-VNI-EVI-SVI-VRFが1つの状態で一番ネックになるのはEVIの部分であり、雑な調べによるとIOS-XEで9503(?)しか作成できないため、今回のトラフィック分割が950社が限界ということになる。おそらくvlan aware方式で実装し、1つのEVIに複数のVLANを紐づけできれば、EVIのボトルネックは緩和されるが、それでもvlan上限である4094を超えることはできないように思える。
- 今回は非対称IRBと表示されているが、集中型GWだと対称IRB構成はできないか。公式ドキュメント4では集中型GWで対称IRBかどうか不明。
後書き
EVPN-VXLANは2024年のネットワークスペシャリストの問題にも出るほどホットな技術になったため、今回取り上げてみました。
とりあえずトラフィック分割はできたものの、EVPN-VXLANの理解はまだまだ浅いため、洗い出した課題点を中心にドキュメントを読み進めていこうと思います。
おわり
脚注
- 以下の13スライド目
https://www.nic.ad.jp/ja/materials/iw/2016/proceedings/t05/t5-kamitani-2.pdf
↩︎ - 過去の記事
https://enjimiya.com/vrfbgpvlan%e3%81%ab%e3%82%88%e3%82%8b%e3%83%88%e3%83%a9%e3%83%95%e3%82%a3%e3%83%83%e3%82%af%e3%81%ae%e8%ab%96%e7%90%86%e5%88%86%e5%89%b2/#:~:text=%E3%81%A9%E3%81%86%E3%82%84%E3%82%89CML%E3%81%AE%E3%83%87%E3%83%95%E3%82%A9%E3%83%AB%E3%83%88%E3%81%AE%E3%83%A9%E3%82%A4%E3%82%BB%E3%83%B3%E3%82%B9%E3%81%A0%E3%81%A8%E3%80%81cat9000v%E3%81%A7%E3%81%AFVRF%E3%81%AA%E3%81%A9%E3%81%8C%E4%BD%BF%E3%81%88%E3%81%AA%E3%81%841%E3%82%88%E3%81%86%E3%81%AA%E3%81%AE%E3%81%A7%E3%80%81%E3%81%BE%E3%81%9A%E3%82%A2%E3%83%89%E3%83%90%E3%83%B3%E3%83%86%E3%83%BC%E3%82%B8%E3%83%A9%E3%82%A4%E3%82%BB%E3%83%B3%E3%82%B9%E3%81%AE%E6%9C%89%E5%8A%B9%E5%8C%96%E3%82%92%E8%A1%8C%E3%81%84%E3%81%BE%E3%81%99%E3%80%82
↩︎ - VRFが128と書かれているが、これはIOS-XRだともっと作れるはず
https://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/guide/segment-routing/17-1-1/b-segment-routing-17-1-asr920/m-evpn-irb.pdf
↩︎ - https://www.cisco.com/c/ja_jp/td/docs/switches/lan/catalyst9300/software/release/17-6/configuration_guide/vxlan/b_176_bgp_evpn_vxlan_9300_cg/configuring_evpn_vxlan_integrated_routing_and_bridging.html#id_137316:~:text=of%20addresses%3A%3A%206-,%E4%BE%8B%EF%BC%9A%E9%9B%86%E4%B8%AD%E5%9E%8B%E3%83%87%E3%83%95%E3%82%A9%E3%83%AB%E3%83%88%E3%82%B2%E3%83%BC%E3%83%88%E3%82%A6%E3%82%A7%E3%82%A4%E3%82%92%E4%BD%BF%E7%94%A8%E3%81%97%E3%81%9F%20EVPN%20VXLAN%20Integrated%20Routing%20and%20Bridging%20%E3%81%AE%E6%9C%89%E5%8A%B9%E5%8C%96,-%E3%81%93%E3%81%AE%E9%A0%85%E3%81%A7%E3%81%AF
↩︎
コメント