EVPN-VXLANによるトラフィックの論理分割

前書き

前回に引き続き、今回もトラフィックの論理分割の検証を行います。

今回は比較的新しい技術であるEVPN-VXLANを実装し、L2VPNを構築します。

環境

CMLをProxmoxVE上に立てて環境構築しています。

  • CML2.7

次に各ノードの紹介です。

  • Cataryst 9000v UADP ×4(以降cat9000v)
  • CSR 1000v ×4(以降csr1000v)

構成図

今回はこんな感じです。

黄色が回線事業者想定で、青色がA社、赤色がB社としたときにA社とB社は互いにルーティングはできず、同じIPv4アドレスを重複して持っているというシナリオです。

EVPN-VXLANの中でもvlan based1の方式を使っているため、VLAN-VNI-EVIがすべて1つでまとまっています。この時点でL2VPNとしてのトラフィック分割は完結していますが、今回はIRBとしてcat9000v-uadp-3にSVIを設定し、VRFで分けています。VLAN-VNI-EVI-SVI-VRFがすべて1つにまとまっている状態となり、A社のルータはA社用のIRB宛にBGPピアを張ることでもう片方の拠点との経路交換を行っています。

IRBと記載したものの、今回のシナリオだとA社もB社もIRBを経由したルーティングがないため、単なるブリッジのみとなっています。(SVIを同一のVRFに組み込むことによって、お互いのVLAN同士でIRBを経由したルーティングが可能になります。)

また、前回の記事はL3VPNだったため、左側のルータと右側のルータでセグメントが変わりましたが、今回はL2VPNなので両端のルータのG1インターフェースをブリッジできればL2延伸も可能です。

回線事業者想定の黄色エリアはアンダーレイの経路交換にレベル1のIS-ISを利用し、シンプルな実装にしています。また、ループバックインターフェースからIPを借用することにより、装置間のセグメントへのIPv4アドレッシングを省略しました。

コンフィグ

予め、cat9000vの4台はライセンスのアドバンテージライセンス有効化済み2の前提です。

cat9000v-uadp-0

en
!
conf t
!
ip routing
!
vlan configuration 101 
 member evpn-instance 101 vni 10101
!
vlan configuration 201 
 member evpn-instance 201 vni 20202
!
interface Loopback0
 ip address 11.11.11.11 255.255.255.255
 ip router isis 
!
interface GigabitEthernet1/0/1
 switchport access vlan 101
 switchport mode access
!
interface GigabitEthernet1/0/2
 switchport access vlan 201
 switchport mode access
!
interface GigabitEthernet1/0/3
 no switchport
 ip unnumbered Loopback0
 ip router isis
!
router isis
 net 49.0001.0110.1101.1011.00
 is-type level-1
!
router bgp 65001
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 bgp router-id 11.11.11.11
 neighbor 22.22.22.22 remote-as 65001
 neighbor 22.22.22.22 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family l2vpn evpn
  neighbor 22.22.22.22 activate
  neighbor 22.22.22.22 send-community both
 exit-address-family
!
l2vpn evpn
 replication-type ingress
!
l2vpn evpn instance 101 vlan-based
 encapsulation vxlan
!
l2vpn evpn instance 201 vlan-based
 encapsulation vxlan
!
interface nve1
 no ip address
 source-interface Loopback0
 host-reachability protocol bgp
 member vni 10101 ingress-replication
 member vni 20202 ingress-replication
!
end
!

cat9000v-uadp-1

en
!
conf t
!
ip routing
!
interface Loopback 0
 ip address 22.22.22.22 255.255.255.255
 ip router isis
!
interface GigabitEthernet 1/0/1
 no switchport
 ip unnumbered Loopback0
 ip router isis
!
interface GigabitEthernet 1/0/3
 no switchport
 ip unnumbered Loopback0
 ip router isis
!
interface GigabitEthernet 1/0/4
 no switchport
 ip unnumbered Loopback0
 ip router isis
!
router isis
 net 49.0001.0220.2202.2022.00
 is-type level-1
!
router bgp 65001
 template peer-policy POLICY
  route-reflector-client
  send-community extended
 exit-peer-policy
 !        
 template peer-session SESSION
  remote-as 65001
  update-source Loopback0
 exit-peer-session
 !
 bgp router-id 22.22.22.22
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 11.11.11.11 inherit peer-session SESSION
 neighbor 33.33.33.33 inherit peer-session SESSION
 neighbor 44.44.44.44 inherit peer-session SESSION
 !
 address-family ipv4
 exit-address-family
 !
 address-family l2vpn evpn
  neighbor 11.11.11.11 activate
  neighbor 11.11.11.11 inherit peer-policy POLICY
  neighbor 33.33.33.33 activate
  neighbor 33.33.33.33 inherit peer-policy POLICY
  neighbor 44.44.44.44 activate
  neighbor 44.44.44.44 inherit peer-policy POLICY
 exit-address-family
!
end
!

cat9000v-uadp-2

en
!
conf t
!
ip routing
!
vlan configuration 101 
 member evpn-instance 101 vni 10101
!
vlan configuration 201 
 member evpn-instance 201 vni 20202
!
interface Loopback 0
 ip address 33.33.33.33 255.255.255.255
 ip router isis
!
interface GigabitEthernet1/0/1
 switchport access vlan 101
 switchport mode access
!
interface GigabitEthernet1/0/2
 switchport access vlan 201
 switchport mode access
!
interface GigabitEthernet 1/0/4
 no switchport
 ip unnumbered Loopback0
 ip router isis
!
router isis
 net 49.0001.0330.3303.3033.00
 is-type level-1
!
router bgp 65001
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 bgp router-id 33.33.33.33
 neighbor 22.22.22.22 remote-as 65001
 neighbor 22.22.22.22 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family l2vpn evpn
  neighbor 22.22.22.22 activate
  neighbor 22.22.22.22 send-community both
 exit-address-family
!
l2vpn evpn
 replication-type ingress
!
l2vpn evpn instance 101 vlan-based
 encapsulation vxlan
!
l2vpn evpn instance 201 vlan-based
 encapsulation vxlan
!
interface nve1
 no ip address
 source-interface Loopback0
 host-reachability protocol bgp
 member vni 10101 ingress-replication
 member vni 20202 ingress-replication
!
end
!

cat9000v-uadp-3

en
!
conf t
!
ip routing
!
vlan configuration 101 
 member evpn-instance 101 vni 10101
!
vlan configuration 201 
 member evpn-instance 201 vni 20202
!
interface Loopback 0
 ip address 44.44.44.44 255.255.255.255
 ip router isis
!
interface GigabitEthernet 1/0/1
 no switchport
 ip unnumbered Loopback0
 ip router isis
!
vrf definition IRB-101
 rd 65002:1
 address-family ipv4 unicast
!
vrf definition IRB-201
 rd 65003:1
 address-family ipv4 unicast
!
router isis
 net 49.0001.0440.4404.4044.00
 is-type level-1
!
router bgp 65001
 !
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 bgp router-id 44.44.44.44
 neighbor 22.22.22.22 remote-as 65001
 neighbor 22.22.22.22 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv4 vrf IRB-101
  advertise l2vpn evpn
  redistribute connected
  redistribute static
  neighbor 1.1.1.1 remote-as 65002
  neighbor 1.1.1.2 remote-as 65002
  neighbor 1.1.1.1 activate
  neighbor 1.1.1.2 activate
 exit-address-family
 !
 address-family ipv4 vrf IRB-201
  advertise l2vpn evpn
  redistribute connected
  redistribute static
  neighbor 2.2.2.1 remote-as 65003
  neighbor 2.2.2.2 remote-as 65003
  neighbor 2.2.2.1 activate
  neighbor 2.2.2.2 activate
 exit-address-family
 !
 address-family l2vpn evpn
  neighbor 22.22.22.22 activate
  neighbor 22.22.22.22 send-community both
 exit-address-family
!
l2vpn evpn
 replication-type ingress
 default-gateway advertise
!
l2vpn evpn instance 101 vlan-based
 encapsulation vxlan
!
l2vpn evpn instance 201 vlan-based
 encapsulation vxlan
!
interface Vlan101
 vrf forwarding IRB-101
 ip address 1.1.1.254 255.255.255.0
 no autostate
!
 interface Vlan201
 vrf forwarding IRB-201
 ip address 2.2.2.254 255.255.255.0
 no autostate
!
interface nve1
 no ip address
 source-interface Loopback0
 host-reachability protocol bgp
 member vni 10101 ingress-replication
 member vni 20202 ingress-replication
!
end
!

csr1000v-0

en
!
conf t
!
ip routing
!
interface Loopback 0
 ip address 10.0.0.1 255.255.255.255
!
interface GigabitEthernet 1
 ip address 1.1.1.1 255.255.255.0
 no shutdown
!
router bgp 65002
 neighbor 1.1.1.254 remote-as 65001
 neighbor 1.1.1.254 allowas-in
 no auto-summary
 no synchronization
 redistribute connected 
!
end
!

csr1000v-1

en
!
conf t
!
ip routing
!
interface Loopback 0
 ip address 10.0.0.2 255.255.255.255
!
interface GigabitEthernet 1
 ip address 2.2.2.1 255.255.255.0
 no shutdown
!
router bgp 65003
 neighbor 2.2.2.254 remote-as 65001
 neighbor 2.2.2.254 allowas-in
 no auto-summary
 no synchronization
 redistribute connected 
!
end
!

csr1000v-2

en
!
conf t
!
ip routing
!
interface Loopback 0
 ip address 10.0.0.3 255.255.255.255
!
interface GigabitEthernet 1
 ip address 1.1.1.2 255.255.255.0
 no shutdown
!
router bgp 65002
 neighbor 1.1.1.254 remote-as 65001
 neighbor 1.1.1.254 allowas-in
 no auto-summary
 no synchronization
 redistribute connected 
!
end
!

csr1000v-3

en
!
conf t
!
ip routing
!
interface Loopback 0
 ip address 10.0.0.4 255.255.255.255
!
interface GigabitEthernet 1
 ip address 2.2.2.2 255.255.255.0
 no shutdown
!
router bgp 65003
 neighbor 2.2.2.254 remote-as 65001
 neighbor 2.2.2.254 allowas-in
 no auto-summary
 no synchronization
 redistribute connected 
!
end
!

showコマンド結果

show bgp l2vpn evpn summary

cat9000v-uadp-0

inserthostname-here#show bgp l2vpn evpn summary
BGP router identifier 11.11.11.11, local AS number 65001
BGP table version is 150, main routing table version 150
43 network entries using 16512 bytes of memory
43 path entries using 9976 bytes of memory
12/12 BGP path/bestpath attribute entries using 3552 bytes of memory
2 BGP rrinfo entries using 80 bytes of memory
4 BGP extended community entries using 160 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 30280 total bytes of memory
BGP activity 92/49 prefixes, 96/53 paths, scan interval 60 secs
43 networks peaked at 10:00:55 Jan 2 2025 UTC (04:38:36.052 ago)

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
22.22.22.22     4        65001     426     383      150    0    0 05:32:07       16

cat9000v-uadp-1

inserthostname-here#show bgp l2vpn evpn summary
BGP router identifier 22.22.22.22, local AS number 65001
BGP table version is 113, main routing table version 113
32 network entries using 12288 bytes of memory
32 path entries using 7424 bytes of memory
13/13 BGP path/bestpath attribute entries using 3848 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
4 BGP extended community entries using 160 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 23768 total bytes of memory
BGP activity 67/34 prefixes, 72/40 paths, scan interval 60 secs
33 networks peaked at 10:02:00 Jan 2 2025 UTC (04:41:38.187 ago)

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
11.11.11.11     4        65001     387     432      113    0    0 05:36:14       11
33.33.33.33     4        65001     387     431      113    0    0 05:36:28       11
44.44.44.44     4        65001     337     371      113    0    0 04:51:11       10

cat9000v-uadp-2

inserthostname-here#show bgp l2vpn evpn summary
BGP router identifier 33.33.33.33, local AS number 65001
BGP table version is 150, main routing table version 150
41 network entries using 15744 bytes of memory
41 path entries using 9512 bytes of memory
12/12 BGP path/bestpath attribute entries using 3552 bytes of memory
2 BGP rrinfo entries using 80 bytes of memory
4 BGP extended community entries using 160 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 29048 total bytes of memory
BGP activity 87/45 prefixes, 95/54 paths, scan interval 60 secs
42 networks peaked at 10:00:55 Jan 2 2025 UTC (04:43:04.265 ago)

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
22.22.22.22     4        65001     431     387      150    0    0 05:36:49       15

cat9000v-uadp-3

inserthostname-here#show bgp l2vpn evpn summary
BGP router identifier 44.44.44.44, local AS number 65001
BGP table version is 145, main routing table version 145
54 network entries using 20736 bytes of memory
58 path entries using 13456 bytes of memory
13/13 BGP path/bestpath attribute entries using 3848 bytes of memory
2 BGP rrinfo entries using 80 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
4 BGP extended community entries using 160 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 38328 total bytes of memory
BGP activity 101/39 prefixes, 117/49 paths, scan interval 60 secs
56 networks peaked at 10:02:00 Jan 2 2025 UTC (04:42:18.083 ago)

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
22.22.22.22     4        65001     371     338      145    0    0 04:51:51       22

show l2route evpn mac ip

cat9000v-uadp-0

inserthostname-here#show l2route evpn mac ip
  EVI       ETag  Prod    Mac Address                                 Host IP                                        Next Hop(s)
----- ---------- ----- -------------- --------------------------------------- --------------------------------------------------
  101          0   BGP 5254.000a.7386                                 1.1.1.2                                V:10101 33.33.33.33
  101          0 L2VPN 5254.0010.63c2                                 1.1.1.1                                        Gi1/0/1:101
  101          0   BGP 5254.0016.7b13                 FE80::5054:FF:FE16:7B13                                V:10101 33.33.33.33
  101          0   BGP 5254.0018.0f0a                               1.1.1.254                                V:10101 44.44.44.44
  101          0 L2VPN 5254.001d.7fc1                 FE80::5054:FF:FE1D:7FC1                                        Gi1/0/1:101
  201          0 L2VPN 5254.000b.91d1                                 1.1.1.1                                        Gi1/0/2:201
  201          0   BGP 5254.0018.0f15                               1.1.1.254                                V:20202 44.44.44.44
  201          0   BGP 5254.001b.ad0d                                 1.1.1.2                                V:20202 33.33.33.33
  201          0 L2VPN 5254.001f.aa82                 FE80::5054:FF:FE1F:AA82                                        Gi1/0/2:201

cat9000v-uadp-1

中継ルータのため表示なし

inserthostname-here#show l2route evpn mac ip
  EVI       ETag  Prod    Mac Address                                 Host IP                                        Next Hop(s)
----- ---------- ----- -------------- --------------------------------------- --------------------------------------------------

cat9000v-uadp-2

inserthostname-here#show l2route evpn mac ip
  EVI       ETag  Prod    Mac Address                                 Host IP                                        Next Hop(s)
----- ---------- ----- -------------- --------------------------------------- --------------------------------------------------
  101          0 L2VPN 5254.000a.7386                                 1.1.1.2                                        Gi1/0/1:101
  101          0   BGP 5254.0010.63c2                                 1.1.1.1                                V:10101 11.11.11.11
  101          0   BGP 5254.0018.0f0a                               1.1.1.254                                V:10101 44.44.44.44
  101          0   BGP 5254.001d.7fc1                 FE80::5054:FF:FE1D:7FC1                                V:10101 11.11.11.11
  201          0   BGP 5254.000b.91d1                                 1.1.1.1                                V:20202 11.11.11.11
  201          0   BGP 5254.0018.0f15                               1.1.1.254                                V:20202 44.44.44.44
  201          0 L2VPN 5254.001b.ad0d                                 1.1.1.2                                        Gi1/0/2:201
  201          0   BGP 5254.001f.aa82                 FE80::5054:FF:FE1F:AA82                                V:20202 11.11.11.11

cat9000v-uadp-3

inserthostname-here#show l2route evpn mac ip
  EVI       ETag  Prod    Mac Address                                 Host IP                                        Next Hop(s)
----- ---------- ----- -------------- --------------------------------------- --------------------------------------------------
  101          0   BGP 5254.000a.7386                                 1.1.1.2                                V:10101 33.33.33.33
  101          0   BGP 5254.0010.63c2                                 1.1.1.1                                V:10101 11.11.11.11
  101          0 L2VPN 5254.0018.0f0a                               1.1.1.254                                            Vl101:0
  101          0   BGP 5254.001d.7fc1                 FE80::5054:FF:FE1D:7FC1                                V:10101 11.11.11.11
  201          0   BGP 5254.000b.91d1                                 1.1.1.1                                V:20202 11.11.11.11
  201          0 L2VPN 5254.0018.0f15                               1.1.1.254                                            Vl201:0
  201          0   BGP 5254.001b.ad0d                                 1.1.1.2                                V:20202 33.33.33.33
  201          0   BGP 5254.001f.aa82                 FE80::5054:FF:FE1F:AA82                                V:20202 11.11.11.11

show l2vpn evpn default-gateway detail

cat9000v-uadp-0

inserthostname-here#show l2vpn evpn default-gateway  detail
Default Gateway Address:   1.1.1.254
EVPN Instance:             101
Vlan:                      101
MAC Address:               5254.0018.0f0a
Ethernet Tag ID:           0
Source:                    V:10101 44.44.44.44

Default Gateway Address:   1.1.1.254
EVPN Instance:             201
Vlan:                      201
MAC Address:               5254.0018.0f15
Ethernet Tag ID:           0
Source:                    V:20202 44.44.44.44

cat9000v-uadp-1

中継ルータのため表示なし

inserthostname-here#show l2vpn evpn default-gateway detail

cat9000v-uadp-2

inserthostname-here#show l2vpn evpn default-gateway detail
Default Gateway Address:   1.1.1.254
EVPN Instance:             101
Vlan:                      101
MAC Address:               5254.0018.0f0a
Ethernet Tag ID:           0
Source:                    V:10101 44.44.44.44

Default Gateway Address:   1.1.1.254
EVPN Instance:             201
Vlan:                      201
MAC Address:               5254.0018.0f15
Ethernet Tag ID:           0
Source:                    V:20202 44.44.44.44

cat9000v-uadp-3

inserthostname-here#show l2vpn evpn default-gateway detail
Default Gateway Address:   1.1.1.254
EVPN Instance:             101
Vlan:                      101
MAC Address:               5254.0018.0f0a
Ethernet Tag ID:           0
Source:                    V:10101 Vlan101

Default Gateway Address:   1.1.1.254
EVPN Instance:             201
Vlan:                      201
MAC Address:               5254.0018.0f15
Ethernet Tag ID:           0
Source:                    V:20202 Vlan201

show ip route

cat9000v-uadp-0

inserthostname-here#show ip route 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR
       & - replicated local route overrides by connected

Gateway of last resort is not set

      11.0.0.0/32 is subnetted, 1 subnets
C        11.11.11.11 is directly connected, Loopback0
      22.0.0.0/32 is subnetted, 1 subnets
i L1     22.22.22.22 [115/20] via 22.22.22.22, 05:51:06, GigabitEthernet1/0/3
      33.0.0.0/32 is subnetted, 1 subnets
i L1     33.33.33.33 [115/30] via 22.22.22.22, 05:51:05, GigabitEthernet1/0/3
      44.0.0.0/32 is subnetted, 1 subnets
i L1     44.44.44.44 [115/30] via 22.22.22.22, 05:06:00, GigabitEthernet1/0/3

cat9000v-uadp-1

inserthostname-here#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR
       & - replicated local route overrides by connected

Gateway of last resort is not set

      11.0.0.0/32 is subnetted, 1 subnets
i L1     11.11.11.11 [115/20] via 11.11.11.11, 05:55:06, GigabitEthernet1/0/3
      22.0.0.0/32 is subnetted, 1 subnets
C        22.22.22.22 is directly connected, Loopback0
      33.0.0.0/32 is subnetted, 1 subnets
i L1     33.33.33.33 [115/20] via 33.33.33.33, 05:55:15, GigabitEthernet1/0/4
      44.0.0.0/32 is subnetted, 1 subnets
i L1     44.44.44.44 [115/20] via 44.44.44.44, 05:09:56, GigabitEthernet1/0/1

cat9000v-uadp-2

inserthostname-here#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR
       & - replicated local route overrides by connected

Gateway of last resort is not set

      11.0.0.0/32 is subnetted, 1 subnets
i L1     11.11.11.11 [115/30] via 22.22.22.22, 05:55:25, GigabitEthernet1/0/4
      22.0.0.0/32 is subnetted, 1 subnets
i L1     22.22.22.22 [115/20] via 22.22.22.22, 05:55:34, GigabitEthernet1/0/4
      33.0.0.0/32 is subnetted, 1 subnets
C        33.33.33.33 is directly connected, Loopback0
      44.0.0.0/32 is subnetted, 1 subnets
i L1     44.44.44.44 [115/30] via 22.22.22.22, 05:10:15, GigabitEthernet1/0/4

cat9000v-uadp-3

inserthostname-here#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR
       & - replicated local route overrides by connected

Gateway of last resort is not set

      11.0.0.0/32 is subnetted, 1 subnets
i L1     11.11.11.11 [115/30] via 22.22.22.22, 05:10:37, GigabitEthernet1/0/1
      22.0.0.0/32 is subnetted, 1 subnets
i L1     22.22.22.22 [115/20] via 22.22.22.22, 05:10:42, GigabitEthernet1/0/1
      33.0.0.0/32 is subnetted, 1 subnets
i L1     33.33.33.33 [115/30] via 22.22.22.22, 05:10:35, GigabitEthernet1/0/1
      44.0.0.0/32 is subnetted, 1 subnets
C        44.44.44.44 is directly connected, Loopback0

csr1000v-0

inserthostname-here#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR
       & - replicated local route overrides by connected

Gateway of last resort is not set

      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.1.0/24 is directly connected, GigabitEthernet1
L        1.1.1.1/32 is directly connected, GigabitEthernet1
      10.0.0.0/32 is subnetted, 2 subnets
C        10.0.0.1 is directly connected, Loopback0
B        10.0.0.2 [20/0] via 1.1.1.2, 05:01:28

csr1000v-1

inserthostname-here#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR
       & - replicated local route overrides by connected

Gateway of last resort is not set

      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.1.0/24 is directly connected, GigabitEthernet1
L        1.1.1.1/32 is directly connected, GigabitEthernet1
      10.0.0.0/32 is subnetted, 2 subnets
C        10.0.0.1 is directly connected, Loopback0
B        10.0.0.2 [20/0] via 1.1.1.2, 05:08:46

csr1000v-2

inserthostname-here#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR
       & - replicated local route overrides by connected

Gateway of last resort is not set

      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.1.0/24 is directly connected, GigabitEthernet1
L        1.1.1.2/32 is directly connected, GigabitEthernet1
      10.0.0.0/32 is subnetted, 2 subnets
B        10.0.0.1 [20/0] via 1.1.1.1, 05:01:59
C        10.0.0.2 is directly connected, Loopback0

csr1000v-3

inserthostname-here#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR
       & - replicated local route overrides by connected

Gateway of last resort is not set

      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.1.0/24 is directly connected, GigabitEthernet1
L        1.1.1.2/32 is directly connected, GigabitEthernet1
      10.0.0.0/32 is subnetted, 2 subnets
B        10.0.0.1 [20/0] via 1.1.1.1, 05:08:58
C        10.0.0.2 is directly connected, Loopback0

疎通確認

ping

csr1000v-0

inserthostname-here#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
inserthostname-here#ping 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 109/110/112 ms
inserthostname-here#ping 1.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 89/92/103 ms
inserthostname-here#ping 10.0.0.1 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
inserthostname-here#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 107/117/137 ms

csr1000v-1

inserthostname-here#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
inserthostname-here#ping 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 107/115/121 ms
inserthostname-here#ping 1.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 99/103/112 ms
inserthostname-here#ping 10.0.0.1 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
inserthostname-here#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 102/112/122 ms

csr1000v-2

inserthostname-here#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 103/125/144 ms
inserthostname-here#ping 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/6 ms
inserthostname-here#ping 1.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 91/104/115 ms
inserthostname-here#ping 10.0.0.1 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 101/109/115 ms
inserthostname-here#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

csr1000v-3

inserthostname-here#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 112/118/139 ms
inserthostname-here#ping 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
inserthostname-here#ping 1.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/101/103 ms
inserthostname-here#ping 10.0.0.1 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 106/117/126 ms
inserthostname-here#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

traceroute

csr1000v-0

inserthostname-here#traceroute 10.0.0.2
Type escape sequence to abort.
Tracing the route to 10.0.0.2
VRF info: (vrf in name/id, vrf out name/id)
  1 1.1.1.2 79 msec 86 msec *

csr1000v-1

inserthostname-here#traceroute 10.0.0.2
Type escape sequence to abort.
Tracing the route to 10.0.0.2
VRF info: (vrf in name/id, vrf out name/id)
  1 1.1.1.2 127 msec 123 msec *

csr1000v-2

inserthostname-here#traceroute 10.0.0.1
Type escape sequence to abort.
Tracing the route to 10.0.0.1
VRF info: (vrf in name/id, vrf out name/id)
  1 1.1.1.1 146 msec 106 msec * 

csr1000v-3

inserthostname-here#traceroute 10.0.0.1
Type escape sequence to abort.
Tracing the route to 10.0.0.1
VRF info: (vrf in name/id, vrf out name/id)
  1 1.1.1.1 144 msec 88 msec *

パケットキャプチャ

tracerouteではどのルートを通っているのかがわからないため、今回はそれぞれの機器から対向のループバックアドレスにpingを送った際のパケットキャプチャも取得しました。

csr1000v-0

csr1000v-0とcat9000v-uadp-0の間
csr1000v-2とcat9000v-uadp-2の間

csr1000v-1

csr1000v-1とcat9000v-uadp-0の間
csr1000v-3とcat9000v-uadp-2の間

csr1000v-2

csr1000v-0とcat9000v-uadp-0の間
csr1000v-2とcat9000v-uadp-2の間

csr1000v-3

csr1000v-1とcat9000v-uadp-0の間
csr1000v-3とcat9000v-uadp-2の間

課題点

  • 各VLANのデフォルトゲートウェイがIRBに向くようにEVPNピアで広告されていることは確認できたものの、これをA社やB社側のルータにどのように広告するのかがわかっていない。(A社側の機器にデフォルトゲートウェイはIRBだとBGPで広告したい)
  • VLAN-VNI-EVI-SVI-VRFが1つの状態で一番ネックになるのはEVIの部分であり、雑な調べによるとIOS-XEで9503(?)しか作成できないため、今回のトラフィック分割が950社が限界ということになる。おそらくvlan aware方式で実装し、1つのEVIに複数のVLANを紐づけできれば、EVIのボトルネックは緩和されるが、それでもvlan上限である4094を超えることはできないように思える。
  • 今回は非対称IRBと表示されているが、集中型GWだと対称IRB構成はできないか。公式ドキュメント4では集中型GWで対称IRBかどうか不明。

後書き

EVPN-VXLANは2024年のネットワークスペシャリストの問題にも出るほどホットな技術になったため、今回取り上げてみました。

とりあえずトラフィック分割はできたものの、EVPN-VXLANの理解はまだまだ浅いため、洗い出した課題点を中心にドキュメントを読み進めていこうと思います。

おわり

脚注

  1. 以下の13スライド目
    https://www.nic.ad.jp/ja/materials/iw/2016/proceedings/t05/t5-kamitani-2.pdf
    ↩︎
  2. 過去の記事
    https://enjimiya.com/vrfbgpvlan%e3%81%ab%e3%82%88%e3%82%8b%e3%83%88%e3%83%a9%e3%83%95%e3%82%a3%e3%83%83%e3%82%af%e3%81%ae%e8%ab%96%e7%90%86%e5%88%86%e5%89%b2/#:~:text=%E3%81%A9%E3%81%86%E3%82%84%E3%82%89CML%E3%81%AE%E3%83%87%E3%83%95%E3%82%A9%E3%83%AB%E3%83%88%E3%81%AE%E3%83%A9%E3%82%A4%E3%82%BB%E3%83%B3%E3%82%B9%E3%81%A0%E3%81%A8%E3%80%81cat9000v%E3%81%A7%E3%81%AFVRF%E3%81%AA%E3%81%A9%E3%81%8C%E4%BD%BF%E3%81%88%E3%81%AA%E3%81%841%E3%82%88%E3%81%86%E3%81%AA%E3%81%AE%E3%81%A7%E3%80%81%E3%81%BE%E3%81%9A%E3%82%A2%E3%83%89%E3%83%90%E3%83%B3%E3%83%86%E3%83%BC%E3%82%B8%E3%83%A9%E3%82%A4%E3%82%BB%E3%83%B3%E3%82%B9%E3%81%AE%E6%9C%89%E5%8A%B9%E5%8C%96%E3%82%92%E8%A1%8C%E3%81%84%E3%81%BE%E3%81%99%E3%80%82
    ↩︎
  3. VRFが128と書かれているが、これはIOS-XRだともっと作れるはず
    https://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/guide/segment-routing/17-1-1/b-segment-routing-17-1-asr920/m-evpn-irb.pdf
    ↩︎
  4. https://www.cisco.com/c/ja_jp/td/docs/switches/lan/catalyst9300/software/release/17-6/configuration_guide/vxlan/b_176_bgp_evpn_vxlan_9300_cg/configuring_evpn_vxlan_integrated_routing_and_bridging.html#id_137316:~:text=of%20addresses%3A%3A%206-,%E4%BE%8B%EF%BC%9A%E9%9B%86%E4%B8%AD%E5%9E%8B%E3%83%87%E3%83%95%E3%82%A9%E3%83%AB%E3%83%88%E3%82%B2%E3%83%BC%E3%83%88%E3%82%A6%E3%82%A7%E3%82%A4%E3%82%92%E4%BD%BF%E7%94%A8%E3%81%97%E3%81%9F%20EVPN%20VXLAN%20Integrated%20Routing%20and%20Bridging%20%E3%81%AE%E6%9C%89%E5%8A%B9%E5%8C%96,-%E3%81%93%E3%81%AE%E9%A0%85%E3%81%A7%E3%81%AF
    ↩︎

コメント

タイトルとURLをコピーしました