Arista EOS Layer2 EVPNの設定紹介 – 自宅で体験できるファブリックネットワーク

Arista EOSでLayer2 EVPNを設定する方法を説明します。「Arista EOS vxlanの設定紹介」で紹介した手法はvxlanの宛先をstaticに設定する必要がありますが、EVPNを使えばvxlanの宛先をBGP communityを用いて動的に変化させる事ができます。

• Arista vEOSの基本的な使い方
• Arista cEOSの基本的な使い方
• Arista cEOS docker-composeを使った操作例
• Arista cEOS docker-topoを使った操作例
• Arista EOSの基本操作 SSHログインが出来るようになるまで
• Arista EOS vxlanの設定紹介
• Arista EOS Layer2 EVPNの設定紹介 (いまここ)
• Arista EOS Layer3 EVPNの設定紹介
• Arista EOS Layer3 EVPNとダイナミックルーティングの併用
• Arista EOS MLAGの設定方法
• Arista EOS 実践的なvxlan設定
• Arista EOS 実践的なLayer2 EVPN設定
• Arista EOS アップリンク二重障害の対応
• Arista EOS 実践的なLayer3 EVPN設定
• Arista EOS 実践的なEVPNとダイナミックルーティング併用例
• Arista EOS ゼロタッチプロビジョニングの設定

構成図

以下の環境で動作確認を行います。

                    +---------------+
192.168.13.0/24  .3 |    spine03    | .3  192.168.23.0/24
        +-----------+Lo0:10.3.3.3/32+----+
        |        e1 +---------------+ e2 |
        |                                |
     e2 | .1                          e1 | .2
+-------+-------+                +-------+-------+
|    leaf01     |                |    leaf02     |
|Lo0:10.1.1.1/32|                |Lo0:10.2.2.2/32|
+-------+-------+                +-------+-------+
     e1 | vlan100                     e2 | vlan100
        |                                |
        | 192.168.100.0/24               | 192.168.100.0/24
        |                                |
     e1 | .1                          e1 | .2
+-------+-------+                +-------+-------+
|    host01     |                |    host02     |
+---------------+                +---------------+

初期設定

初期設定はIPアドレスのみです。この状態からEVPNに必要な設定を投入していきます。

! Command: show running-config
! device: host01 (vEOS, EOS-4.25.0FX-LDP-RSVP)
!
! boot system flash:/vEOS-lab.swi
!
transceiver qsfp default-mode 4x10G
!
service routing protocols model ribd
!
hostname host01
!
spanning-tree mode mstp
!
no aaa root
!
username admin role network-admin secret sha512 $6$1HdZV8EnhStZl7Jq$ykA.fAxEM2WTNGiPYNFMQ9a88CjY2yK9F0tZM1x8xMWUAcmOQsuEWHVvYHo2OBUnZcxw2aqn767XrqkLaV8CS/
!
vrf instance CONSOLE
!
interface Ethernet1
   no switchport
   ip address 192.168.100.1/24
!
interface Management1
   vrf CONSOLE
   ip address 192.168.1.41/24
!
no ip routing
ip routing vrf CONSOLE
!
ip route vrf CONSOLE 0.0.0.0/0 192.168.1.1
!
end

! Command: show running-config
! device: leaf01 (vEOS, EOS-4.25.0FX-LDP-RSVP)
!
! boot system flash:/vEOS-lab.swi
!
transceiver qsfp default-mode 4x10G
!
service routing protocols model ribd
!
hostname leaf01
!
spanning-tree mode mstp
!
no aaa root
!
username admin role network-admin secret sha512 $6$8g4im0prH7WjskGr$WSWnk6NXojEYqo03GaaS0kg0RdAjkwKCF7hqpLk1b2/aIyjAUwIcBWcq.7zuWDyxdv8Otf74JsHzZnn9aR9hG.
!
vlan 100
!
vrf instance CONSOLE
!
interface Ethernet1
   switchport access vlan 100
!
interface Ethernet2
   no switchport
   ip address 192.168.13.1/24
!
interface Loopback0
   ip address 10.1.1.1/32
!
interface Management1
   vrf CONSOLE
   ip address 192.168.1.42/24
!
no ip routing
ip routing vrf CONSOLE
!
ip route vrf CONSOLE 0.0.0.0/0 192.168.1.1
!
end

! Command: show running-config
! device: spine03 (vEOS, EOS-4.25.0FX-LDP-RSVP)
!
! boot system flash:/vEOS-lab.swi
!
transceiver qsfp default-mode 4x10G
!
service routing protocols model ribd
!
hostname spine03
!
spanning-tree mode mstp
!
no aaa root
!
username admin role network-admin secret sha512 $6$XNluPtcOuBEDxR5H$EqK9UnbxO1KHRl.1tmHKZoRw9mFvxp3/hFJqQUDQ9wnkXjINlDPRUoZ4wPECNmKue.BfLxYDT/LtYLe8u6T4J0
!
vrf instance CONSOLE
!
interface Ethernet1
   no switchport
   ip address 192.168.13.3/24
!
interface Ethernet2
   no switchport
   ip address 192.168.23.3/24
!
interface Loopback0
   ip address 10.3.3.3/32
!
interface Management1
   vrf CONSOLE
   ip address 192.168.1.43/24
!
no ip routing
ip routing vrf CONSOLE
!
ip route vrf CONSOLE 0.0.0.0/0 192.168.1.1
!
end

! Command: show running-config
! device: leaf02 (vEOS, EOS-4.25.0FX-LDP-RSVP)
!
! boot system flash:/vEOS-lab.swi
!
transceiver qsfp default-mode 4x10G
!
service routing protocols model ribd
!
hostname leaf02
!
spanning-tree mode mstp
!
no aaa root
!
username admin role network-admin secret sha512 $6$bVpJ2.2SeukhvZ49$i20QxV1G6Y4RsuFV57vcPuvB2gZo5LsVHdE9Ht9yxzQoNaieMNPkBB6gdvbsykwBqXG2UDN2peT49dbeQteuX/
!
vlan 100
!
vrf instance CONSOLE
!
interface Ethernet1
   no switchport
   ip address 192.168.23.2/24
!
interface Ethernet2
   switchport access vlan 100
!
interface Loopback0
   ip address 10.2.2.2/32
!
interface Management1
   vrf CONSOLE
   ip address 192.168.1.44/24
!
no ip routing
ip routing vrf CONSOLE
!
ip route vrf CONSOLE 0.0.0.0/0 192.168.1.1
!
end

! Command: show running-config
! device: host02 (vEOS, EOS-4.25.0FX-LDP-RSVP)
!
! boot system flash:/vEOS-lab.swi
!
transceiver qsfp default-mode 4x10G
!
service routing protocols model ribd
!
hostname host02
!
spanning-tree mode mstp
!
no aaa root
!
username admin role network-admin secret sha512 $6$k0Y65l5FD1m2IXQu$PGCSozozxe9XwHS2jPp/iDTy11fm34zcPkJfb1.hY0Ajgzoa9GpmVjqAF8nW1I0P9Per1sLq6oSiEOGEaYLlf.
!
vrf instance CONSOLE
!
interface Ethernet1
   no switchport
   ip address 192.168.100.2/24
!
interface Management1
   vrf CONSOLE
   ip address 192.168.1.45/24
!
no ip routing
ip routing vrf CONSOLE
!
ip route vrf CONSOLE 0.0.0.0/0 192.168.1.1
!
end

動作確認

アンダーレイネットワークの構築

以下の設定を投入し、leaf01, spine03, leaf02間が互いに疎通可能にあるようにします。「Arista EOS vxlanの設定紹介」にて紹介した設定と全く同じ設定を入れます。

# leaf01
ip routing
router ospf 1
   network 10.1.1.1/32 area 0.0.0.0
   network 192.168.13.0/24 area 0.0.0.0

# spine03
ip routing
router ospf 1
   network 10.3.3.3/32 area 0.0.0.0
   network 192.168.13.0/24 area 0.0.0.0
   network 192.168.23.0/24 area 0.0.0.0

# leaf02
ip routing
router ospf 1
   network 10.2.2.2/32 area 0.0.0.0
   network 192.168.23.0/24 area 0.0.0.0

leaf01とleaf02の間が互いに疎通可能である事を確認します。

leaf01#show ip route ospf

VRF: default
Codes: C - connected, S - static, K - kernel, 
       O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
       E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
       N2 - OSPF NSSA external type2, B - BGP, B I - iBGP, B E - eBGP,
       R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
       O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
       NG - Nexthop Group Static Route, V - VXLAN Control Service,
       DH - DHCP client installed default route, M - Martian,
       DP - Dynamic Policy Route, L - VRF Leaked,
       RC - Route Cache Route

 O        10.2.2.2/32 [110/30] via 192.168.13.3, Ethernet2
 O        10.3.3.3/32 [110/20] via 192.168.13.3, Ethernet2
 O        192.168.23.0/24 [110/20] via 192.168.13.3, Ethernet2

leaf01#
leaf01#ping 10.2.2.2 source Loopback0
PING 10.2.2.2 (10.2.2.2) from 10.1.1.1 : 72(100) bytes of data.
80 bytes from 10.2.2.2: icmp_seq=1 ttl=63 time=4.64 ms
80 bytes from 10.2.2.2: icmp_seq=2 ttl=63 time=2.49 ms
80 bytes from 10.2.2.2: icmp_seq=3 ttl=63 time=3.72 ms
80 bytes from 10.2.2.2: icmp_seq=4 ttl=63 time=2.68 ms
80 bytes from 10.2.2.2: icmp_seq=5 ttl=63 time=2.36 ms

--- 10.2.2.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 17ms
rtt min/avg/max/mdev = 2.367/3.181/4.641/0.875 ms, ipg/ewma 4.367/3.875 ms
leaf01#

VXLANの設定

leaf01, leaf02にvxlanの設定を入れます。「Arista EOS vxlanの設定紹介」と異なり、vxlan floot vtepコマンドでトンネルの宛先をstaticに設定しない事に注意ください。トンネルの宛先はEVPNによって動的に取得します。

# leaf01
interface Vxlan1
   vxlan source-interface Loopback0
   vxlan vlan 100 vni 90100

# leaf02
interface Vxlan1
   vxlan source-interface Loopback0
   vxlan vlan 100 vni 90100

この時点ではinterface vxlanはdown状態です。EVPNの設定が完了次第、interfaceがupに変わります。

leaf01#show interfaces vxlan 1
Vxlan1 is down, line protocol is down (notconnect)
  Hardware is Vxlan
  Source interface is Loopback0 and is active with 10.1.1.1
  Replication/Flood Mode is not initialized yet
  Remote MAC learning via Datapath
  VNI mapping to VLANs
  Static VLAN to VNI mapping is 
    [100, 90100]     
  Note: All Dynamic VLANs used by VCS are internal VLANs.
        Use 'show vxlan vni' for details.
  Static VRF to VNI mapping is not configured
  MLAG Shared Router MAC is 0000.0000.0000
leaf01#

routing protocols model multi-agent

EVPNを使用するには「routing protocols model multi-agent」という機能を有効にする必要があります。もし、有効にしていない場合は以下のような警告が表示されます。

また、「routing protocols model multi-agent」の有効化設定を反映するには再起動が必要です。

leaf02(config)#router bgp 65000
leaf02(config-router-bgp)#no bgp default ipv4-unicast 
leaf02(config-router-bgp)#address-family evpn 
! Routing protocols model multi-agent must be configured for EVPN address-family
leaf02(config-router-bgp-af)#exit
leaf02(config-router-bgp)#exit
leaf02(config)#service routing protocols model multi-agent 
! Change will take effect only after switch reboot
leaf02(config)#

leaf01, leaf02に対し「routing protocols model multi-agent」を有効にします。設定反映には再起動が必要である事に留意ください。

# leaf01
service routing protocols model multi-agent 

# leaf02
service routing protocols model multi-agent 

bgp address-family evpn

leaf01とleaf02の間でbgp address-family evpn neighborを確立します。

# leaf01
router bgp 65000
   no bgp default ipv4-unicast
   timers bgp 10 30
   neighbor 10.2.2.2 remote-as 65000
   neighbor 10.2.2.2 update-source Loopback0
   neighbor 10.2.2.2 send-community
   !
   vlan 100
      rd 10.1.1.1:100
      route-target both 100:90100
      redistribute learned
   !
   address-family evpn
      neighbor 10.2.2.2 activate

# leaf02
router bgp 65000
   no bgp default ipv4-unicast
   timers bgp 10 30
   neighbor 10.1.1.1 remote-as 65000
   neighbor 10.1.1.1 update-source Loopback0
   neighbor 10.1.1.1 send-community
   !
   vlan 100
      rd 10.2.2.2:100
      route-target both 100:90100
      redistribute learned
   !
   address-family evpn
      neighbor 10.1.1.1 activate

BGP neighborがEstabの状態になった事を確認します。

leaf01#show bgp evpn summary 
BGP summary information for VRF default
Router identifier 10.1.1.1, local AS number 65000
Neighbor Status Codes: m - Under maintenance
  Neighbor         V  AS           MsgRcvd   MsgSent  InQ OutQ  Up/Down State   PfxRcd PfxAcc
  10.2.2.2         4 65000             41        41    0    0 00:05:01 Estab   1      1
leaf01#

show bgp evpn detailコマンドを使用すると、MACアドレステーブルがBGP拡張コミュニティのルートターゲット100:90100にて、情報が授受されている事を確認できます。通常、ここまでの確認は不要かと思いますが、トラブルシュートの時はこのコマンドを使用してみるのも良いでしょう。

leaf01#show bgp evpn detail 
BGP routing table information for VRF default
Router identifier 10.1.1.1, local AS number 65000
BGP routing table entry for mac-ip 5555.5555.5555, Route Distinguisher: 10.1.1.1:100
 Paths: 1 available
  Local
    - from - (0.0.0.0)
      Origin IGP, metric -, localpref -, weight 0, valid, local, best
      Extended Community: Route-Target-AS:100:90100 TunnelEncap:tunnelTypeVxlan
      VNI: 90100 ESI: 0000:0000:0000:0000:0000

  <omitted>

最低でも1つのMACアドレスが授受される状態になると、interface vxlan 1はup状態に変わります。

このシナリオではstaticにvtepの宛先を指定してないので、「Static VRF to VNI mapping is not configured」と表示されています。

また、EVPNによって対向の10.2.2.2を認識しましたので、「Headend replication flood vtep list is」に「10.2.2.2」と表示されています。

leaf01#show interfaces vxlan 1
Vxlan1 is up, line protocol is up (connected)
  Hardware is Vxlan
  Source interface is Loopback0 and is active with 10.1.1.1
  Replication/Flood Mode is headend with Flood List Source: EVPN
  Remote MAC learning via EVPN
  VNI mapping to VLANs
  Static VLAN to VNI mapping is 
    [100, 90100]     
  Note: All Dynamic VLANs used by VCS are internal VLANs.
        Use 'show vxlan vni' for details.
  Static VRF to VNI mapping is not configured
  Headend replication flood vtep list is:
   100 10.2.2.2       
  MLAG Shared Router MAC is 0000.0000.0000

疎通確認

host01からhost02への疎通を確認します。

host01#ping 192.168.100.2
PING 192.168.100.2 (192.168.100.2) 72(100) bytes of data.
80 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=28.3 ms
80 bytes from 192.168.100.2: icmp_seq=2 ttl=64 time=19.7 ms
80 bytes from 192.168.100.2: icmp_seq=3 ttl=64 time=11.6 ms
80 bytes from 192.168.100.2: icmp_seq=4 ttl=64 time=19.4 ms
80 bytes from 192.168.100.2: icmp_seq=5 ttl=64 time=18.2 ms

--- 192.168.100.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 71ms
rtt min/avg/max/mdev = 11.621/19.484/28.356/5.331 ms, pipe 3, ipg/ewma 17.882/23.796 ms
host01#

pingによる疎通確認直後に以下のコマンドをleaf01やleaf02で実行すると、vxlanが管理しているMacアドレステーブルを確認する事ができます。

leaf01#show vxlan address-table 
          Vxlan Mac Address Table
----------------------------------------------------------------------

VLAN  Mac Address     Type     Prt  VTEP             Moves   Last Move
----  -----------     ----     ---  ----             -----   ---------
 100  0050.56f4.e19e  EVPN     Vx1  10.2.2.2         1       0:00:25 ago
Total Remote Mac Addresses for this criterion: 1
leaf01#

EVPNによって授受されたMACアドレスは以下のコマンドで確認します。

leaf01#show bgp evpn 
BGP routing table information for VRF default
Router identifier 10.1.1.1, local AS number 65000
Route status codes: s - suppressed, * - valid, > - active, E - ECMP head, e - ECMP
                    S - Stale, c - Contributing to ECMP, b - backup
                    % - Pending BGP convergence
Origin codes: i - IGP, e - EGP, ? - incomplete
AS Path Attributes: Or-ID - Originator ID, C-LST - Cluster List, LL Nexthop - Link Local Nexthop

          Network                Next Hop              Metric  LocPref Weight  Path
 * >     RD: 10.1.1.1:100 mac-ip 000c.2905.9ba5
                                 -                     -       -       0       i
 * >     RD: 10.2.2.2:100 mac-ip 0050.56f4.e19e
                                 10.2.2.2              -       100     0       i
 * >     RD: 10.1.1.1:100 mac-ip 5555.5555.5555
                                 -                     -       -       0       i
 * >     RD: 10.1.1.1:100 imet 10.1.1.1
                                 -                     -       -       0       i
 * >     RD: 10.2.2.2:100 imet 10.2.2.2
                                 10.2.2.2              -       100     0       i
leaf01#

パケットキャプチャ

この通信をleaf01/spine03間でパケットキャプチャすると以下のようになります。

host01からhost02へのARP requestを送る前に、leaf01配下にhost01が居る事を伝えるBGP updateを送っている事が分かります。

     20 22.475148      10.1.1.1              10.2.2.2              BGP      170    UPDATE Message
     21 22.475350      VMware_05:9b:a5       Broadcast             ARP      110    Who has 192.168.100.2? Tell 192.168.100.1
     22 22.481529      10.2.2.2              10.1.1.1              TCP      66     179 → 38555 [ACK] Seq=58 Ack=162 Win=226 Len=0 TSval=310369 TSecr=304146
     23 22.493724      10.2.2.2              10.1.1.1              BGP      170    UPDATE Message
     24 22.493818      VMware_f4:e1:9e       VMware_05:9b:a5       ARP      110    192.168.100.2 is at 00:50:56:f4:e1:9e
     25 22.495288      10.1.1.1              10.2.2.2              TCP      66     38555 → 179 [ACK] Seq=162 Ack=162 Win=228 Len=0 TSval=304151 TSecr=310372
     26 22.502994      192.168.100.1         192.168.100.2         ICMP     164    Echo (ping) request  id=0x0c21, seq=1/256, ttl=64 (reply in 31)
     27 22.503114      192.168.100.1         192.168.100.2         ICMP     164    Echo (ping) request  id=0x0c21, seq=2/512, ttl=64 (reply in 32)
     28 22.505353      192.168.100.1         192.168.100.2         ICMP     164    Echo (ping) request  id=0x0c21, seq=3/768, ttl=64 (reply in 33)
     29 22.505470      192.168.100.1         192.168.100.2         ICMP     164    Echo (ping) request  id=0x0c21, seq=4/1024, ttl=64 (reply in 34)
     30 22.508540      192.168.100.1         192.168.100.2         ICMP     164    Echo (ping) request  id=0x0c21, seq=5/1280, ttl=64 (reply in 35)
     31 22.516073      192.168.100.2         192.168.100.1         ICMP     164    Echo (ping) reply    id=0x0c21, seq=1/256, ttl=64 (request in 26)
     32 22.516214      192.168.100.2         192.168.100.1         ICMP     164    Echo (ping) reply    id=0x0c21, seq=2/512, ttl=64 (request in 27)
     33 22.519617      192.168.100.2         192.168.100.1         ICMP     164    Echo (ping) reply    id=0x0c21, seq=3/768, ttl=64 (request in 28)
     34 22.519733      192.168.100.2         192.168.100.1         ICMP     164    Echo (ping) reply    id=0x0c21, seq=4/1024, ttl=64 (request in 29)
     35 22.520379      192.168.100.2         192.168.100.1         ICMP     164    Echo (ping) reply    id=0x0c21, seq=5/1280, ttl=64 (request in 30)

host01のMACアドレス00:0c:29:05:9b:a5を通知している様子が読み取れます。通知したMACアドレスがどのvlan, vniとマッピングすれば良いか分かるように、併せてroute-target 100:90100も通知されています。

No.     Time           Source                Destination           Protocol Length Info
     20 22.475148      10.1.1.1              10.2.2.2              BGP      170    UPDATE Message

Frame 20: 170 bytes on wire (1360 bits), 170 bytes captured (1360 bits)
Ethernet II, Src: VMware_96:2a:5a (00:50:56:96:2a:5a), Dst: VMware_48:69:be (00:50:56:48:69:be)
Internet Protocol Version 4, Src: 10.1.1.1, Dst: 10.2.2.2
Transmission Control Protocol, Src Port: 38555, Dst Port: 179, Seq: 58, Ack: 58, Len: 104
Border Gateway Protocol - UPDATE Message
    Marker: ffffffffffffffffffffffffffffffff
    Length: 104
    Type: UPDATE Message (2)
    Withdrawn Routes Length: 0
    Total Path Attribute Length: 81
    Path attributes
        Path Attribute - ORIGIN: IGP
            Flags: 0x40, Transitive, Well-known, Complete
            Type Code: ORIGIN (1)
            Length: 1
            Origin: IGP (0)
        Path Attribute - AS_PATH: empty
            Flags: 0x40, Transitive, Well-known, Complete
            Type Code: AS_PATH (2)
            Length: 0
        Path Attribute - LOCAL_PREF: 100
            Flags: 0x40, Transitive, Well-known, Complete
            Type Code: LOCAL_PREF (5)
            Length: 4
            Local preference: 100
        Path Attribute - MP_REACH_NLRI
            Flags: 0x90, Optional, Extended-Length, Non-transitive, Complete
            Type Code: MP_REACH_NLRI (14)
            Length: 44
            Address family identifier (AFI): Layer-2 VPN (25)
            Subsequent address family identifier (SAFI): EVPN (70)
            Next hop network address (4 bytes)
            Number of Subnetwork points of attachment (SNPA): 0
            Network layer reachability information (35 bytes)
                EVPN NLRI: MAC Advertisement Route
                    Route Type: MAC Advertisement Route (2)
                    Length: 33
                    Route Distinguisher: 00010a0101010064 (10.1.1.1:100)
                    ESI: 00:00:00:00:00:00:00:00:00:00
                    Ethernet Tag ID: 0
                    MAC Address Length: 48
                    MAC Address: VMware_05:9b:a5 (00:0c:29:05:9b:a5)
                    IP Address Length: 0
                    IP Address: NOT INCLUDED
                    0000 0001 0101 1111 1111 .... = MPLS Label 1: 5631
        Path Attribute - EXTENDED_COMMUNITIES
            Flags: 0xc0, Optional, Transitive, Complete
            Type Code: EXTENDED_COMMUNITIES (16)
            Length: 16
            Carried extended communities: (2 communities)
                Route Target: 100:90100 [Transitive 2-Octet AS-Specific]
                Encapsulation: VXLAN Encapsulation [Transitive Opaque]

BGP updateの後に、vxlanでカプセル化されたARP requestが観測されます。

No.     Time           Source                Destination           Protocol Length Info
     21 22.475350      VMware_05:9b:a5       Broadcast             ARP      110    Who has 192.168.100.2? Tell 192.168.100.1

Frame 21: 110 bytes on wire (880 bits), 110 bytes captured (880 bits)
Ethernet II, Src: VMware_96:2a:5a (00:50:56:96:2a:5a), Dst: VMware_48:69:be (00:50:56:48:69:be)
Internet Protocol Version 4, Src: 10.1.1.1, Dst: 10.2.2.2
User Datagram Protocol, Src Port: 19795, Dst Port: 4789
Virtual eXtensible Local Area Network
Ethernet II, Src: VMware_05:9b:a5 (00:0c:29:05:9b:a5), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)