DataCenter VXLAN EVPN - L2out (extending L2 out of VXLAN nfabric) - PC on remote VTEP cant ping anything

Before posting something, READ the changelog, WATCH the videos, howto and provide following:
Your install is: Bare metal, ESXi, what CPU model, RAM, HD, what EVE version you have, output of the uname -a and any other info that might help us faster.

Moderator: mike

Post Reply
User avatar
MSLAV
Posts: 6
Joined: Fri Nov 02, 2018 2:41 pm

DataCenter VXLAN EVPN - L2out (extending L2 out of VXLAN nfabric) - PC on remote VTEP cant ping anything

Post by MSLAV » Sun Nov 11, 2018 2:16 am

Hello all,

can anyone help me to resolve a problem I faced playing with VXLAN EVPN?

My topology is in the attachment.
The problem in that Moved_Server1 can ping everything except Moved_Server2 and 3 behind VTEP Leaf 2 and 3.
These two servers can't ping anything.

Did anyone face the same problem or can point to guide where this explained?

Cisco has a doc talking about firewall implementations with VXLAn fabric- https://www.cisco.com/c/dam/en/us/produ ... 736585.pdf
And it seems that my scenario is valid ...but doesn't work :)
You do not have the required permissions to view the files attached to this post.

paulno1
Posts: 1
Joined: Sun Nov 11, 2018 3:56 pm

Re: DataCenter VXLAN EVPN - L2out (extending L2 out of VXLAN nfabric) - PC on remote VTEP cant ping anything

Post by paulno1 » Sun Nov 11, 2018 3:59 pm

Hi, please come onto rocket chat technical discussion chat and i can help you with this, i'm just in the process of fitting my firewalls into a evpn fabric, this comes under cisco programmable fabric and you can have both L2 and L3 firewall modes

your issue has to be down to ACLs, do you not get any hits at all?

my design is different in that im using multiple tenants and vrfs @ the l3 vni level

Uldis (UD)
Posts: 5067
Joined: Wed Mar 15, 2017 4:44 pm
Location: London
Contact:

Re: DataCenter VXLAN EVPN - L2out (extending L2 out of VXLAN nfabric) - PC on remote VTEP cant ping anything

Post by Uldis (UD) » Sun Nov 11, 2018 6:59 pm

Paul meant:

http://www.eve-ng.net/live-helpdesk
Use your google account or create new for chat.

It is Tech room.

UD

sanjeevlsg
Posts: 13
Joined: Thu Sep 20, 2018 5:58 am

Re: DataCenter VXLAN EVPN - L2out (extending L2 out of VXLAN nfabric) - PC on remote VTEP cant ping anything

Post by sanjeevlsg » Mon Nov 12, 2018 9:40 am

Can you guys attach the unl file ,so we can test it out too and If you have exported cfg. Thanks

User avatar
MSLAV
Posts: 6
Joined: Fri Nov 02, 2018 2:41 pm

Re: DataCenter VXLAN EVPN - L2out (extending L2 out of VXLAN nfabric) - PC on remote VTEP cant ping anything

Post by MSLAV » Mon Nov 12, 2018 4:41 pm

UPDATE:
Ok, I created a new lab ( in attachments).
The scenario is the following:
Customer A has old infra with Servers connected to the CORE switch, Gateways are on the CORE.
Now they are building VXLAN fabric.
New servers will be connected directly to Leafs with Anycast Gateways on them.
Old servers will be transitioned to Leafs with the step-by-step approach, so keeping GW on a Core is mandatory until all servers are migrated.

I was able to make it work with some limitations:

1. "hardware access-list TCAM region arp-ether 256 double-wide" - added double-wide
2. it seems that I have to have Old-Servers on both Leafs. If Old_Servers are connected to a Leaf which does not have direct L2 Trunk to a CORE - it doesn't work. I guess there is something wrong with Control Plane/ARP/ or something. SO, Servers in "Green" can ping everything, Server in "Red" behind Leaf2 can't even get out.

The general technical solution is described in this doc - ttps://www.cisco.com/c/dam/en/us/produ ... 736585.pdf

Next step is to try it on real hardware and involve Cisco TAC.
Maybe it's not supported design at all, or I am missing something.
You do not have the required permissions to view the files attached to this post.

User avatar
MSLAV
Posts: 6
Joined: Fri Nov 02, 2018 2:41 pm

Re: DataCenter VXLAN EVPN - L2out (extending L2 out of VXLAN nfabric) - PC on remote VTEP cant ping anything

Post by MSLAV » Mon Nov 12, 2018 5:26 pm

Update:
moved all gateways to VXLAN Fabric - works OK, all can ping all.
Migration strategy will be to move old servers within an old VLAN to VXLANs Fabric with its Gateways.

Still, do not understand why NVE do not forward arp request for vlan 805 GW from SRV2-1-805 to CORE though.

Uldis (UD)
Posts: 5067
Joined: Wed Mar 15, 2017 4:44 pm
Location: London
Contact:

Re: DataCenter VXLAN EVPN - L2out (extending L2 out of VXLAN nfabric) - PC on remote VTEP cant ping anything

Post by Uldis (UD) » Mon Nov 12, 2018 7:39 pm

Dear MSLAV,

you can export your lab and upload here.
Upload is in zip, just use EVE GUI export lab

User avatar
MSLAV
Posts: 6
Joined: Fri Nov 02, 2018 2:41 pm

Re: DataCenter VXLAN EVPN - L2out (extending L2 out of VXLAN nfabric) - PC on remote VTEP cant ping anything

Post by MSLAV » Tue Nov 13, 2018 11:42 pm

Sure.
Problem is that this lab doesn't look like as it was posted here, I was playing with it trying different staff.

I'm adding a lab which was in the beginning of the post.
Problem is that servers with GWs on a Core switch and connected to Leaf2 become isolated.
With GWs on VTEPs ( anycast gw), everything is working good.

I hope someone can figure it out.

BTW, there is another article about this kind of implementation; https://nwktimes.blogspot.com/2018/10/v ... ation.html
You do not have the required permissions to view the files attached to this post.

User avatar
MSLAV
Posts: 6
Joined: Fri Nov 02, 2018 2:41 pm

Re: DataCenter VXLAN EVPN - L2out (extending L2 out of VXLAN nfabric) - PC on remote VTEP cant ping anything

Post by MSLAV » Fri Nov 16, 2018 8:00 pm

UPDATE:

Tried on real hardware, all is working as expected: PCs on remote Leaf are able to ping its GW on an external L3 device (a Core).
It seems that the issue relates to EVE_NG, whether its an IOL on a CORE switch ( I use 15.2a) or Nexuses itself. I also tried L3 IOL - same results, not working solution.
I guess EVE just do not support "Routed East-West Firewall" design.

UPDATE:

Finally made it work with vIOS L2 image.
And I was missing ip pim rp-address [anycast-rp] on Spines :-(
Problem solved

This solution: https://www.cisco.com/c/dam/en/us/produ ... 736585.pdf is 100% working in EVE_NG and EVE-NG does its job perfectly.

rumshot
Posts: 23
Joined: Fri Dec 21, 2018 12:51 pm

Re: DataCenter VXLAN EVPN - L2out (extending L2 out of VXLAN nfabric) - PC on remote VTEP cant ping anything

Post by rumshot » Sat Feb 09, 2019 3:34 pm

Hi MsLav,

Im passing thru a similar situation where i need to integrate an old topology to a new fabric.
Do you have documented the latest lab version ? im using a nexus as bridge following cisco advise, but its getting difficult day by day...

best regards,

Post Reply