Layer 3 EVPN and Layer 3 VPN

This chapter describes tasks to configure the Layer 3 EVPN and stitching of L3 EVPN and L3VPN router. Perform the following tasks to complete the configuration:

Configuring VRF and Route Targets for Import and Export Rules

Procedure

  Command or Action Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

vrf vrf-name

Defines a VPN routing and forwarding (VRF) instance and enters the VRF configuration mode.

Step 3

rd auto

Automatically assigns a unique route distinguisher (RD) to VRF.

Step 4

address-family { ipv4 | ipv6 } unicast

Specifies either the IPv4 or IPv6 address family for the VRF instance and enters address family configuration submode.

Step 5

route-target import route-target-id

Configures importing of routes to the VRF from the L3VPN BGP NLRIs that have the matching route-target value.

Step 6

route-target export route-target-id

Configures exporting of routes from the VRF to the L3VPN BGP NLRIs and assigns the specified route-target identifiers to the L3VPN BGP NLRIs.

Step 7

route-target import route-target-id evpn

Configures importing of routes from the L3 EVPN BGP NLRI that have the matching route-target value.

Step 8

route-target export route-target-id evpn

Configures exporting of routes from the VRF to the L3 EVPN BGP NLRIs and assigns the specified route-target identifiers to the BGP EVPN NLRIs.

Configuring BGP EVPN and Label Allocation Mode

You can use MPLS tunnel encapsulation using the encapsulation mpls command. You can configure the label allocation mode for the EVPN address family. The default tunnel encapsulation in EVPN for IP Route type in NX-OS is VXLAN.

Advertisement of (IP or Label) bindings from a Cisco Nexus 9000 Series switch via BGP EVPN enables a remote switch to send the routed traffic to that IP using the label for that IP to the switch that advertised the IP over MPLS.

The IP prefix route (Type-5) is:

  • Type-5 route with MPLS encapsulation

    
RT-5 Route – IP Prefix

RD:	 L3 RD
IP Length: 	prefix length
IP address: 	IP (4 bytes)
Label1: 	BGP MPLS Label
Route Target
RT for IP-VRF

The default label allocation mode is per-VRF for Layer 3 EVPN over MPLS.

Complete the following steps to configure BGP EVPN and label allocation mode:

Before you begin

You must install and enable the MPLS feature set using the install feature-set mpls and feature-set mpls commands.

You must enable the MPLS segment routing feature.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

[no] router bgp autonomous-system-number

Example:

switch(config)# router bgp 64496
switch(config-router)#

Enables BGP and assigns the AS number to the local BGP speaker. The AS number can be a 16-bit integer or a 32-bit integer in the form of a higher 16-bit decimal number and a lower 16-bit decimal number in xx.xx format.

Use the no option with this command to remove the BGP process and the associated configuration.

Step 3

address-family l2vpn evpn

Example:


switch(config-router)# address-family l2vpn evpn
switch(config-router-af)#

Enters global address family configuration mode for the Layer 2 VPN EVPN.

Step 4

exit

Example:

switch(config-router-af)# exit
switch(config-router)#

Exits global address family configuration mode.

Step 5

neighbor ipv4-address remote-as autonomous-system-number

Example:

switch(config-router)# neighbor 10.1.1.1 remote-as 64497
switch(config-router-neighbor)#

Configures the IPv4 address and AS number for a remote BGP peer.

Step 6

address-family l2vpn evpn

Example:

switch(config-router-neighbor)# address-family l2vpn evpn
switch(config-router-neighbor-af)#

Advertises the labeled Layer 2 VPN EVPN.

Step 7

encapsulation mpls

Example:


router bgp 100
  address-family l2vpn evpn
neighbor NVE2 remote-as 100
    address-family l2vpn evpn
      send-community extended
      encapsulation mpls
  vrf foo
    address-family ipv4 unicast
      advertise l2vpn evpn

BGP segment routing configuration:


router bgp 100
 address-family ipv4 unicast
   network 200.0.0.1/32 route-map label_index_pol_100
    network 192.168.5.1/32 route-map label_index_pol_101
    network 101.0.0.0/24 route-map label_index_pol_103
    allocate-label all
  neighbor 192.168.5.6 remote-as 20
      address-family ipv4 labeled-unicast
         send-community extended

Enables BGP EVPN address family and sends EVPN type-5 route update to the neighbors.

Note

 
The default tunnel encapsulation in EVPN for the IP route type in NX-OS is VXLAN. To override that, a new CLI is introduced to indicate MPLS tunnel encapsulation.

Step 8

vrf <customer_name>

Configures the VRF.

Step 9

address-family ipv4 unicast

Enters global address family configuration mode for the IPv4 address family.

Step 10

advertise l2vpn evpn

Advertises Layer 2 VPN EVPN.

Step 11

redistribute direct route-map DIRECT_TO_BGP

Redistributes the directly connected routes into BGP-EVPN.

Step 12

label-allocation-mode per-vrf

Sets the label allocation mode to per-VRF. If you want to configure the per-prefix label mode, use the no label-allocation-mode per-vrf CLI command.

For the EVPN address family, the default label allocation is per-vrf, compared to per-prefix mode for the other address-families where the label allocation CLI is supported. No form of CLI is displayed in the running configuration.

Example

See the following example for configuring per-prefix label allocation:

router bgp 65000
    [address-family l2vpn evpn]
    neighbor 10.1.1.1
        remote-as 100
        address-family l2vpn evpn
        send-community extended 
    neighbor 20.1.1.1
        remote-as 65000
        address-family l2vpn evpn
        encapsulation mpls
        send-community extended
    vrf customer1
        address-family ipv4 unicast
            advertise l2vpn evpn
            redistribute direct route-map DIRECT_TO_BGP
            no label-allocation-mode per-vrf

Configuring BGP Layer 3 EVPN and Layer 3 VPN Stitching

In order to configure the stitching on the same router, configure the layer 3 VPN neighbor relationship and router advertisement.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

[no] router bgp autonomous-system-number

Example:

switch# configure terminal
switch(config)# router bgp 64496
switch(config-router)#

Enables BGP and assigns the AS number to the local BGP speaker. The AS number can be a 16-bit integer or a 32-bit integer in the form of a higher 16-bit decimal number and a lower 16-bit decimal number in xx.xx format.

Use the no option with this command to remove the BGP process and the associated configuration.

Step 3

address-family {vpnv4 | vpnv6} unicast

Example:

switch(config-router)# address-family vpnv4 unicast
switch(config-router-af)# address-family vpnv6 unicast
switch(config-router-af)#

Enters global address family configuration mode for the Layer 3 VPNv4 or VPNv6.

Step 4

exit

Example:

switch(config-router-af)# exit
switch(config-router)#

Exits global address family configuration mode.

Step 5

neighbor ipv4-address remote-as autonomous-system-number

Example:

switch(config-router)# neighbor 20.1.1.1 remote-as 64498

Configures the IPv4 address and AS number for a remote BGP L3VPN peer.

Step 6

address-family {vpnv4 | vpnv6} unicast

Example:

switch(config-router)# address-family vpnv4 unicast
switch(config-router-af)# address-family vpnv6 unicast
switch(config-router-af)#

Configure the neighbor address-family for VPNv4 or VPNv6.

Step 7

send-community extended

Enables BGP VPN address family

Step 8

import l2vpn evpn reoriginate

Configures import of routing information from the Layer 3 VPN BGP NLRIs that has route target identifier matching the normal route target identifier and exports this routing information after re-origination that assigns it with stitching route target identifier, to the BGP EVPN neighbor.

Step 9

neighbor ipv4-address remote-as autonomous-system-number

Example:

switch(config-router)# neighbor 10.1.1.1 remote-as 64497
switch(config-router-neighbor)#

Configures the IPv4 address and AS number for a remote Layer 3 EVPN BGP peer.

Step 10

address-family {l2vpn | evpn

Example:

switch(config-router-neighbor)# address-family l2vpn evpn
switch(config-router-neighbor-af)#

Configure the neighbor address-family for Layer 3 EVPN.

Step 11

import vpn unicast reoriginate

Enables import of routing information from BGP EVPN NLRIs that has route target identifier matching the stitching route target identifier and exports this routing information after re-origination to the Layer 3 VPN BGP neighbor.

Step 12

vrf <customer_name>

Configures the VRF.

Step 13

address-family ipv4 unicast

Enters global address family configuration mode for the IPv4 address family.

Step 14

advertise l2vpn evpn

Advertises Layer 2 VPN EVPN.

Example

vrf context Customer1
    rd auto 
    address-family ipv4 unicast
        route-target import 100:100
        route-target export  100:100
        route-target import 100:100 evpn  
        route-target export 100:100 evpn 

segment-routing
    mpls
      global-block 11000 20000
      connected-prefix-sid
         address-family ipv4 unicast
         200.0.0.1 index 101
!
int lo1
  ip address 200.0.0.1/32
!
interface e1/13
  description “MPLS interface towards Core”
  ip address 192.168.5.1/24
  mpls ip forwarding
  no shut

router bgp 100
address-family ipv4 unicast
allocate-label all
address-family ipv6 unicast
address-family l2vpn evpn
address-family vpnv4 unicast
address-family vpnv6 unicast
 neighbor 10.0.0.1 remote-as 200
    update-source loopback1
    address-family vpnv4 unicast
      send-community extended
      import l2vpn evpn reoriginate 
    address-family vpnv6 unicast
      import l2vpn evpn reoriginate   
      send-community extended
  neighbor 20.0.0.1 remote-as 300          
    address-family l2vpn evpn
      send-community extended
      import vpn unicast reoriginate
      encapsulation mpls
  neighbor 192.168.5.6 remote-as 300
      address-family ipv4 labeled-unicast
  vrf Customer1
    address-family ipv4 unicast
      advertise l2vpn evpn
    address-family ipv6 unicast
      advertise l2vpn evpn

Configuring the Features to Enable Layer3 EVPN and Layer3 VPN

Before you begin

Install the VPN Fabric license.

Make sure that the feature interface-vlan command is enabled.

Procedure

  Command or Action Purpose

Step 1

feature bgp

Enables BGP feature and configurations.

Step 2

install feature-set mpls

Enables MPLS configuration commands.

Step 3

feature-set mpls

Enables MPLS configuration commands.

Step 4

feature mpls segment-routing

Enables segment routing configuration commands.

Step 5

feature mpls evpn

Enables EVPN over MPLS configuration commands. This command is mutually exclusive with the feature-nv CLI command.

Step 6

feature mpls l3vpn

Enables EVPN over MPLS configuration commands. This command is mutually exclusive with the feature-nv CLI command.

Configuring BGP L3 VPN over Segment Routing

Before you begin

You must install and enable the MPLS feature set using the install feature-set mpls and feature-set mpls commands.

You must enable the MPLS segment routing feature.

You must enable the MPLS L3 VPN feature using the feature mpls l3vpn command.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

[no] router bgp autonomous-system-number

Example:

switch(config)# router bgp 64496
switch(config-router)#

Enables BGP and assigns the AS number to the local BGP speaker. The AS number can be a 16-bit integer or a 32-bit integer in the form of a higher 16-bit decimal number and a lower 16-bit decimal number in xx.xx format.

Use the no option with this command to remove the BGP process and the associated configuration.

Step 3

address-family {vpnv4 | vpnv6} unicast

Example:

switch(config-router)# address-family vpnv4 unicast
switch(config-router-af)# address-family vpnv6 unicast
switch(config-router-af)#

Enters global address family configuration mode for the Layer 3 VPNv4 or VPNv6.

Step 4

[no] allocate-label option-b

Disables the inter-AS option-b

Step 5

exit

Example:

switch(config-router-af)# exit
switch(config-router)#

Exits global address family configuration mode.

Step 6

neighbor ipv4-address remote-as autonomous-system-number

Example:

switch(config-router)# neighbor 20.1.1.1 remote-as 64498
switch(config-router-neighbor)#

Configures the IPv4 address and AS number for a remote BGP L3VPN peer.

Step 7

address-family {vpnv4 | vpnv6 } unicast

Example:

switch(config-router-neighbor)# address-family vpnv4 unicast
switch(config-router-neighbor-af)#

Configure the neighbor address-family for VPNv4 or VPNv6.

Step 8

send-community extended

Enables BGP VPN address family.

Step 9

vrf <customer_name>

Configures the VRF.

Step 10

allocate-index x

Configure the allocate-index.

Step 11

address-family ipv4 unicast

Enters global address family configuration mode for the IPv4 address family.

Step 12

redistribute direct route-map DIRECT_TO_BGP

Redistributes the directly connected routes into BGP-L3VPN.

BGP Layer3 VPN Over SRTE

This feature enables the traffic engineering capabilities towards the Segment Routing core for Data-Center Interconnect (DCI)/WAN Edge deployments. It enables DCI hand off (VxLAN to L3VPN based on SR and vice-versa) and can use SRTE capabilities in SR Core so that SLA’s can be achieved by different traffic classes. SRTE capabilities can be applied on DCI or edge routers by applying SR-Policy for L3VPN prefixes. L3VPN prefixes can be advertised(by DCI or Edge nodes) after setting extended community color and BGP L3VPN neighbor can apply SR-policy based on that color to create SRTE. Listed below are the configurations for configuring extended community color on L3VPN prefixes.

Guidelines and Limitations for Configuring Layer 3 VPN Over SRTE

Beginning with Cisco NX-OS Release 10.1(2), segment routing traffic engineering is supported over Layer 3 VPN on Cisco Nexus 9300-FX3, N9K-C9316D-GX , N9K-C93180YC-FX, N9K-C93240YC-FX2, and N9K-C9364C platform switches.

The limitations for this feature are as follows:

  • UnderLay IPv6 is not supported. SRv6 is the alternate.

  • PCE using BGP underlay is not supported, due to PCE’s shortcoming on BGP only fabric.

  • OSPF-SRTE with PCE is not supported, due NXOS’s inability to advertise LSA in BGP-LS.

  • Supports total SRTE policy scale of 1000, BGP VPNv4 32K routes, BGP VPNV6 32k routes, and underlay SR prefixes of 1000.

Beginning with Cisco NX-OS Release 10.2(3)F, the option of color-only (CO) bits is added in route map. If the value of the CO bits change for a given prefix that is using an SRTE policy, BGP will delete the old policy and add a new policy.

Configuring Extended Community Color

This section includes the following topics:

Configuring Extended Community Color at the Ingress Node

To configure extended community color at the ingress node when the prefix is announced by the ingress node, where the SRTE policy is instantiated, perform the following steps:

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

route-map map-name

Example:

switch(config)# route-map ABC 
switch(config-route-map)

Creates a route map or enters route-map configuration mode for an existing route map.

Step 3

set extcommunity color color-num

Example:

switch(config-route-map)# set extcommunity color 20
switch(config-route-map)#

Sets BGP extcommunity attribute for color extended community.

Step 4

exit

Example:

switch(config-route-map)# exit
switch(config)#

Exits route-map configuration mode.

Step 5

[no] router bgp autonomous-system-number

Example:

switch(config)# router bgp1
switch(config-router)#

Enables BGP and assigns the AS number to the local BGP speaker. The AS number can be a 16-bit integer or a 32-bit integer in the form of a higher 16-bit decimal number and a lower 16-bit decimal number in xx.xx format.

Use the no option with this command to remove the BGP process and the associated configuration.

Step 6

neighbor ip-address

Example:

switch(config-router)# neighbor 209.165.201.1
switch(config-router-neighbor)#

Adds an entry to the BGP or multiprotocol BGP neighbor table. The ip-address argument specifies the IP address of the neighbor in dotted decimal notation.

Step 7

address-family vpnv4/vpnv6 unicast

Example:

switch(config-router-neighbor)# address-family vpnv4/vpnv6 unicast
switch(config-router-neighbor-af)#

Enters router address-family configuration mode for the vpnv4/vpnv6 address family type.

Step 8

route-map map-name in

Example:

switch(config-router-neighbor-af)# route-map ABC in
switch(config-router-neighbor-af)#

Applies the configured BGP policy to incoming routes.

The map-name can be any case-sensitive, alphanumeric string up to 63 characters.

Configuring Extended Community Color at the Egress Node

To configure extended community color at the egress node when the prefix is announced by the egress node, perform the following steps:

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

route-map map-name

Example:

switch(config)# route-map ABC 
switch(config-route-map)

Creates a route map or enters route-map configuration mode for an existing route map.

Step 3

set extcommunity color color-num

Example:

switch(config-route-map)# set extcommunity color 20
switch(config-route-map)#

Sets BGP extcommunity attribute for color extended community.

Step 4

exit

Example:

switch(config-route-map)# exit
switch(config)#

Exits route-map configuration mode.

Step 5

[no] router bgp autonomous-system-number

Example:

switch(config)# router bgp1
switch(config-router)#

Enables BGP and assigns the AS number to the local BGP speaker. The AS number can be a 16-bit integer or a 32-bit integer in the form of a higher 16-bit decimal number and a lower 16-bit decimal number in xx.xx format.

Use the no option with this command to remove the BGP process and the associated configuration.

Step 6

neighbor ip-address

Example:

switch(config-router)# neighbor 209.165.201.1
switch(config-router-neighbor)#

Adds an entry to the BGP or multiprotocol BGP neighbor table. The ip-address argument specifies the IP address of the neighbor in dotted decimal notation.

Step 7

address-family vpnv4/vpnv6 unicast

Example:

switch(config-router-neighbor)# address-family vpnv4/vpnv6 unicast
switch(config-router-neighbor-af)#

Enters router address-family configuration mode for the vpnv4/vpnv6 address family type.

Step 8

route-map map-name out

Example:

switch(config-router-neighbor-af)# route-map ABC out
switch(config-router-neighbor-af)#

Applies the configured BGP policy to outgoing routes.

The map-name can be any case-sensitive, alphanumeric string up to 63 characters.

Configuring Extended Community Color for Network/Redistribute Command at the Egress Node

To configure extended community color for the network/redistribute command at the egress node when the prefix is announced by the egress node, perform the following steps:

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

route-map map-name

Example:

switch(config)# route-map ABC 
switch(config-route-map)

Creates a route map or enters route-map configuration mode for an existing route map.

Step 3

set extcommunity color color-num

Example:

switch(config-route-map)# set extcommunity color 20
switch(config-route-map)#

Sets BGP extcommunity attribute for color extended community.

Step 4

exit

Example:

switch(config-route-map)# exit
switch(config)#

Exits route-map configuration mode.

Step 5

[no] router bgp autonomous-system-number

Example:

switch(config)# router bgp1;
switch(config-router)#

Enables BGP and assigns the AS number to the local BGP speaker. The AS number can be a 16-bit integer or a 32-bit integer in the form of a higher 16-bit decimal number and a lower 16-bit decimal number in xx.xx format.

Use the no option with this command to remove the BGP process and the associated configuration.

Step 6

vrf <customer_name>

Configures the VRF.

Step 7

address-family ipv4 unicast

Example:

switch(config-router-vrf)# address-family ipv4 unicast
switch(config-router-af)#

Specifies the IPv4 address family for the VRF instance and enters the address family configuration mode.

Step 8

redistribute static route-map map-name out

Example:

switch(config-router-vrf-af)# redistribute static route-map ABC
switch(config-router-af)#

Redistributes static routes into BGP. The map-name can be any case-sensitive, alphanumeric string up to 63 characters.

Step 9

network ip-prefix [route-map map-name]

Example:

switch(config-router-vrf-af)# network 1.1.1.1/32 route-map ABC 
switch(config-router-af-network)#

Specifies a network as local to this autonomous system and adds it to the BGP routing table.