DataCenter VXLAN EVPN - L2out (extending L2 out of VXLAN nfabric) - PC on remote VTEP cant ping anything
Moderator: mike
- MSLAV
- Posts: 6
- Joined: Fri Nov 02, 2018 2:41 pm
DataCenter VXLAN EVPN - L2out (extending L2 out of VXLAN nfabric) - PC on remote VTEP cant ping anything
Hello all,
can anyone help me to resolve a problem I faced playing with VXLAN EVPN?
My topology is in the attachment.
The problem in that Moved_Server1 can ping everything except Moved_Server2 and 3 behind VTEP Leaf 2 and 3.
These two servers can't ping anything.
Did anyone face the same problem or can point to guide where this explained?
Cisco has a doc talking about firewall implementations with VXLAn fabric- https://www.cisco.com/c/dam/en/us/produ ... 736585.pdf
And it seems that my scenario is valid ...but doesn't work
can anyone help me to resolve a problem I faced playing with VXLAN EVPN?
My topology is in the attachment.
The problem in that Moved_Server1 can ping everything except Moved_Server2 and 3 behind VTEP Leaf 2 and 3.
These two servers can't ping anything.
Did anyone face the same problem or can point to guide where this explained?
Cisco has a doc talking about firewall implementations with VXLAn fabric- https://www.cisco.com/c/dam/en/us/produ ... 736585.pdf
And it seems that my scenario is valid ...but doesn't work
You do not have the required permissions to view the files attached to this post.
-
- Posts: 1
- Joined: Sun Nov 11, 2018 3:56 pm
Re: DataCenter VXLAN EVPN - L2out (extending L2 out of VXLAN nfabric) - PC on remote VTEP cant ping anything
Hi, please come onto rocket chat technical discussion chat and i can help you with this, i'm just in the process of fitting my firewalls into a evpn fabric, this comes under cisco programmable fabric and you can have both L2 and L3 firewall modes
your issue has to be down to ACLs, do you not get any hits at all?
my design is different in that im using multiple tenants and vrfs @ the l3 vni level
your issue has to be down to ACLs, do you not get any hits at all?
my design is different in that im using multiple tenants and vrfs @ the l3 vni level
-
- Posts: 5086
- Joined: Wed Mar 15, 2017 4:44 pm
- Location: London
- Contact:
Re: DataCenter VXLAN EVPN - L2out (extending L2 out of VXLAN nfabric) - PC on remote VTEP cant ping anything
Paul meant:
http://www.eve-ng.net/live-helpdesk
Use your google account or create new for chat.
It is Tech room.
UD
http://www.eve-ng.net/live-helpdesk
Use your google account or create new for chat.
It is Tech room.
UD
-
- Posts: 13
- Joined: Thu Sep 20, 2018 5:58 am
Re: DataCenter VXLAN EVPN - L2out (extending L2 out of VXLAN nfabric) - PC on remote VTEP cant ping anything
Can you guys attach the unl file ,so we can test it out too and If you have exported cfg. Thanks
- MSLAV
- Posts: 6
- Joined: Fri Nov 02, 2018 2:41 pm
Re: DataCenter VXLAN EVPN - L2out (extending L2 out of VXLAN nfabric) - PC on remote VTEP cant ping anything
UPDATE:
Ok, I created a new lab ( in attachments).
The scenario is the following:
Customer A has old infra with Servers connected to the CORE switch, Gateways are on the CORE.
Now they are building VXLAN fabric.
New servers will be connected directly to Leafs with Anycast Gateways on them.
Old servers will be transitioned to Leafs with the step-by-step approach, so keeping GW on a Core is mandatory until all servers are migrated.
I was able to make it work with some limitations:
1. "hardware access-list TCAM region arp-ether 256 double-wide" - added double-wide
2. it seems that I have to have Old-Servers on both Leafs. If Old_Servers are connected to a Leaf which does not have direct L2 Trunk to a CORE - it doesn't work. I guess there is something wrong with Control Plane/ARP/ or something. SO, Servers in "Green" can ping everything, Server in "Red" behind Leaf2 can't even get out.
The general technical solution is described in this doc - ttps://www.cisco.com/c/dam/en/us/produ ... 736585.pdf
Next step is to try it on real hardware and involve Cisco TAC.
Maybe it's not supported design at all, or I am missing something.
Ok, I created a new lab ( in attachments).
The scenario is the following:
Customer A has old infra with Servers connected to the CORE switch, Gateways are on the CORE.
Now they are building VXLAN fabric.
New servers will be connected directly to Leafs with Anycast Gateways on them.
Old servers will be transitioned to Leafs with the step-by-step approach, so keeping GW on a Core is mandatory until all servers are migrated.
I was able to make it work with some limitations:
1. "hardware access-list TCAM region arp-ether 256 double-wide" - added double-wide
2. it seems that I have to have Old-Servers on both Leafs. If Old_Servers are connected to a Leaf which does not have direct L2 Trunk to a CORE - it doesn't work. I guess there is something wrong with Control Plane/ARP/ or something. SO, Servers in "Green" can ping everything, Server in "Red" behind Leaf2 can't even get out.
The general technical solution is described in this doc - ttps://www.cisco.com/c/dam/en/us/produ ... 736585.pdf
Next step is to try it on real hardware and involve Cisco TAC.
Maybe it's not supported design at all, or I am missing something.
You do not have the required permissions to view the files attached to this post.
- MSLAV
- Posts: 6
- Joined: Fri Nov 02, 2018 2:41 pm
Re: DataCenter VXLAN EVPN - L2out (extending L2 out of VXLAN nfabric) - PC on remote VTEP cant ping anything
Update:
moved all gateways to VXLAN Fabric - works OK, all can ping all.
Migration strategy will be to move old servers within an old VLAN to VXLANs Fabric with its Gateways.
Still, do not understand why NVE do not forward arp request for vlan 805 GW from SRV2-1-805 to CORE though.
moved all gateways to VXLAN Fabric - works OK, all can ping all.
Migration strategy will be to move old servers within an old VLAN to VXLANs Fabric with its Gateways.
Still, do not understand why NVE do not forward arp request for vlan 805 GW from SRV2-1-805 to CORE though.
-
- Posts: 5086
- Joined: Wed Mar 15, 2017 4:44 pm
- Location: London
- Contact:
Re: DataCenter VXLAN EVPN - L2out (extending L2 out of VXLAN nfabric) - PC on remote VTEP cant ping anything
Dear MSLAV,
you can export your lab and upload here.
Upload is in zip, just use EVE GUI export lab
you can export your lab and upload here.
Upload is in zip, just use EVE GUI export lab
- MSLAV
- Posts: 6
- Joined: Fri Nov 02, 2018 2:41 pm
Re: DataCenter VXLAN EVPN - L2out (extending L2 out of VXLAN nfabric) - PC on remote VTEP cant ping anything
Sure.
Problem is that this lab doesn't look like as it was posted here, I was playing with it trying different staff.
I'm adding a lab which was in the beginning of the post.
Problem is that servers with GWs on a Core switch and connected to Leaf2 become isolated.
With GWs on VTEPs ( anycast gw), everything is working good.
I hope someone can figure it out.
BTW, there is another article about this kind of implementation; https://nwktimes.blogspot.com/2018/10/v ... ation.html
Problem is that this lab doesn't look like as it was posted here, I was playing with it trying different staff.
I'm adding a lab which was in the beginning of the post.
Problem is that servers with GWs on a Core switch and connected to Leaf2 become isolated.
With GWs on VTEPs ( anycast gw), everything is working good.
I hope someone can figure it out.
BTW, there is another article about this kind of implementation; https://nwktimes.blogspot.com/2018/10/v ... ation.html
You do not have the required permissions to view the files attached to this post.
- MSLAV
- Posts: 6
- Joined: Fri Nov 02, 2018 2:41 pm
Re: DataCenter VXLAN EVPN - L2out (extending L2 out of VXLAN nfabric) - PC on remote VTEP cant ping anything
UPDATE:
Tried on real hardware, all is working as expected: PCs on remote Leaf are able to ping its GW on an external L3 device (a Core).
It seems that the issue relates to EVE_NG, whether its an IOL on a CORE switch ( I use 15.2a) or Nexuses itself. I also tried L3 IOL - same results, not working solution.
I guess EVE just do not support "Routed East-West Firewall" design.
UPDATE:
Finally made it work with vIOS L2 image.
And I was missing ip pim rp-address [anycast-rp] on Spines
Problem solved
This solution: https://www.cisco.com/c/dam/en/us/produ ... 736585.pdf is 100% working in EVE_NG and EVE-NG does its job perfectly.
Tried on real hardware, all is working as expected: PCs on remote Leaf are able to ping its GW on an external L3 device (a Core).
It seems that the issue relates to EVE_NG, whether its an IOL on a CORE switch ( I use 15.2a) or Nexuses itself. I also tried L3 IOL - same results, not working solution.
I guess EVE just do not support "Routed East-West Firewall" design.
UPDATE:
Finally made it work with vIOS L2 image.
And I was missing ip pim rp-address [anycast-rp] on Spines
Problem solved
This solution: https://www.cisco.com/c/dam/en/us/produ ... 736585.pdf is 100% working in EVE_NG and EVE-NG does its job perfectly.
-
- Posts: 23
- Joined: Fri Dec 21, 2018 12:51 pm
Re: DataCenter VXLAN EVPN - L2out (extending L2 out of VXLAN nfabric) - PC on remote VTEP cant ping anything
Hi MsLav,
Im passing thru a similar situation where i need to integrate an old topology to a new fabric.
Do you have documented the latest lab version ? im using a nexus as bridge following cisco advise, but its getting difficult day by day...
best regards,
Im passing thru a similar situation where i need to integrate an old topology to a new fabric.
Do you have documented the latest lab version ? im using a nexus as bridge following cisco advise, but its getting difficult day by day...
best regards,