Design

Question 1

what are attributes of vxlan multipod?

Answer 1

Underlay
• Nicely Structured and Tiered Topologies
• Allows Efficient Scale-Out
• More End-Points = More Leaf
• More Bandwidth, Resilience or Capacity = More Spine or Tiers
• Different Control-Plane Instances (BGP AS)

• Overlay
• End-to-End Encapsulation, Flat, No Hierarchy
• Single Control-Plane ”reach” – all in one ”kitchen sink”

Question 2

what are attributes of vxlan multi-site?

Answer 2

Multiple Overlay Domains
• Per-Site Encapsulation
• Closest to the Source
• Closest to the Destination
• Exit/Transit via Border Gateway
(BGW)
• Multi-Site and/or External
Connectivity
• @ Leaf = Border Leaf
• @ Spine = Border Spine
• Super-Spine becomes Transit

Question 3

what are best practices for ip-addressing when building a vxlan fabric?

Answer 3

Separate Interface functions
through IP Addressing
(Aggregates)
Example:
• Unicast Routing – Routing
Protocol Peering (p2p*) --> 10.0.0.0/24
• Unicast Routing – Routing
Identifier (RID) --> 100.0.0.0/24
• VTEP and VPC --> 200.0.0.0/24
• Multicast Rendezvous-Point (RP) --> 20.0.0.0/24

Question 4

which configuration is mandatory on N56K switches to be able to configure vxlan?

Answer 4

switch must be configured to use store-and-forward switching instead of cut-through, needs a reload

hardware ethernet store-and-fwd-switching

Question 5

what is the actual TEP on your switch, that encap/decap vxlan frames?

Answer 5

interface nve

Question 6

what are use-cases for vxlan evpn multi-site?

Answer 6

scaling, compartmentalization (reduce failure domains) and DCI.
In addition you can control what (which VLAN, VRF) will be extended between sites

Question 7

what are hardware and software requirements for the BGW function?

Answer 7

Cisco Nexus hardware

●  Cisco Nexus 9300 EX platform
●  Cisco Nexus 9300 FX platform
●  Cisco Nexus 9300 FX2 platform
●  Cisco Nexus 9300-GX platform *
●  Cisco Nexus 9332C platform
●  Cisco Nexus 9364C platform
●  Cisco Nexus 9500 platform with X9700-EX line card
●  Cisco Nexus 9500 platform with X9700-FX line card
Cisco NX-OS Software

Cisco NX-OS Software Release 7.0(3)I7(1) or later

Question 8

what is the main functional component of vxlan evpn multi-site?

Answer 8

The main functional component of the EVPN Multi-Site architecture is the border gateway, or BGW. BGWs separate the fabric-side (site-internal fabric) from the network that interconnects the sites (site-external DCI) and mask the site-internal VTEPs.

Question 9

will the transport network between sites see the site-internal VTEPs to enable transportation of vxlan packets?

Answer 9

no, Only the underlay IP addresses of the BGWs are seen inside the transport network between the BGWs. The site-internal VTEPs are always masked behind the BGWs.

Question 10

of which functions must the site-internal node (SPINE) be capable in multi-site, connecting to BGW?

Answer 10

● VXLAN with Protocol-Independent Multicast (PIM) Any-Source Multicast (ASM) or ingress replication (BGP EVPN Route Type 3) in the underlay

● BGP EVPN Route Type 2 and Route Type 5 for the overlay control plane

● Route reflector capable of exchanging BGP EVPN Route Type 4

● VXLAN Operations, Administration, and Maintenance (OAM)–capable devices for end-to-end OAM support

Question 11

can you use PIM BiDir in vxlan evpn multi-site?

Answer 11

no, it must be PIM ASM or head-end replication

Question 12

how will BGWs send BUM traffic between sites

Answer 12

head-end-replication

Question 13

where can you place BGWs in the fabric?

Answer 13

BGW could be either a dedicated pair of leaves or directly connected to the SPINEs or the BGW function can be configured on the SPINEs direclty.

Question 14

what is a design drawback of having the BGW function on the SPINEs?

Answer 14

If the BGW is on the spine, many functions are overloaded together: for instance, route-reflector, Rendezvous-Point (RP), east-west traffic, and external connectivity functions. In this case, you need to consider additional factors related to scale, configuration, and failure scenarios.

Question 15

what are the design options for BGW in regards to redundancy?

Answer 15

can be either vPC pair or anycast-BGW

Question 16

which platform do you need for anycast-BGW?

Answer 16

N9K cloud-scale (EX or FX)

Question 17

how many anycast-BGW per site are supported?

Answer 17

4 A-BGW as per 7.x

Question 18

can you use an ethernet-interface-ip-address as anycast-BGW address?

Answer 18

no, The virtual IP address is represented by a dedicated loopback interface associated with the Network Virtualization Endpoint (NVE) interface (multisite border-gateway interface loopback100).

Question 19

what is a “PIP” and what is PIP’s function?

Answer 19

In addition to the virtual IP address or anycast IP address, every BGW has its own individual personality represented by the primary VTEP IP (PIP) address (source-interface loopback1). The PIP address is responsible in the BGW for handling BUM traffic. Every BGW uses its PIP address to perform BUM replication, either in the multicast underlay or when advertising BGP EVPN Route Type 3 (inclusive multicast), used for ingress replication.

If the BGW is providing external connectivity with VRF-lite next to the EVPN Multi-Site deployment, routing prefixes that are learned from the external Layer 3 devices are advertised inside the VXLAN fabric with the PIP address as the next-hop address

Question 20

will every BGW forward all BUM traffic in anycast-BGW scenario?

Answer 20

No, Every A-BGW actively participates in the forwarding of BUM traffic. Specifically, the Designated-Forwarder (DF) function for BUM traffic is distributed on a per–Layer 2 VXLAN Network Identifier (VNI) basis. To synchronize the designated forwarders, BGP EVPN Route Type 4 (Ethernet segment route) updates are exchanged between the BGWs within the same site (Figure 6).

Question 21

what is a requirement to participate in designated-forwarder election in anycast-BGW scenario?

Answer 21

To participate in the designated-forwarder election, the configuration of the same site ID is required. This ID is defined as part of the BGW configuration (evpn multisite border-gateway ). In addition to the site ID, the use the same Layer 2 VNI is needed to elect the designated forwarder from among the eligible BGWs.

Question 22

what are the two main failure-scenarios in evpn multi-site BGW?

Answer 22

site-internal or site-external failure

Question 23

how will BGW recognize site-internal failure and how will it react?

Answer 23

evpn multisite fabric-tracking
The EVPN Multi-Site fabric-tracking function detects whether one or all of the site-internal interfaces are available. As long as one of these interfaces is operational and available, the BGW can extend Layer 2 and Layer 3 traffic to remote sites. If all fabric-tracking interfaces are reported to be down, the following steps are performed:

● The isolated BGW stops advertising the virtual IP address to the site-external underlay network.

● The isolated BGW withdraws all of its advertised BGP EVPN routes (Route Type 2, Route Type 3, Route Type 4, and Route Type 5).

● The remaining BGWs withdraw all BGP EVPN Route Type 4 (Ethernet segment) routes received from the now isolated BGW because reachability is missing.

Question 24

how will BGW detect site-external failure and how will it react?

Answer 24

evpn multisite dci-tracking

In the rare case in which all DCI-tracking interfaces are down, the BGW performs the following actions:

● It stops advertising the virtual IP address to the site-internal underlay network.

● It withdraws all BGP EVPN Route Type 4 (Ethernet segment) route advertisement.

● It converts the BGW to a traditional VTEP (the PIP address stays up).

Question 25

what are the main design options that Cisco vxlan evpn multi-site supports?

Answer 25

following major topologies:

● DCI

◦ BGW to cloud

◦ BGW back to back

● Multistage Clos (three tiers)

◦ BGW between spine and superspine

◦ BGW on spine

Question 26

how can you optimize the full-mesh eBGP network which is needed between the BGWs?

Answer 26

if the number of BGW is high the full-mesh might become complex. Use a route-server RS, to reflect routes. The route-server will become central point of control-plane peering and is not in data-path. A pair of RS is recommened.

Question 27

what is the minimum supported topology for BGW back-to-back designs and why?

Answer 27

The minimum back-to-back topology is a square, (local link between the BGW), because otherwise there is a chance of dropping BUM traffic because it cannot reach the designated forwarder.

Question 28

what are the two main design models for the vxlan underlay and which one is cisco recommended?

Answer 28

● The I-E-I model focuses on an Interior Gateway Protocol (IGP) and iBGP (IGP-iBGP)–based site-internal network (fabric) with eBGP-eBGP at the external site (DCI).

● The E-E-E model uses eBGP-eBGP within the site (fabric) as well as between sites (DCI).

Note: Although Cisco supports both models, the I-E-I deployment scenario is recommended.

Question 29

can you use head-end-replication for BUM in the local-site and PIM-ASM in the remote-site?

Answer 29

yes! It also allows different BUM replication modes to be used at different sites. Thus, the local site-internal network can be configured with ingress replication while the remote site-internal network can be configured with a multicast-based underlay.

Question 30

what is the purpose of the rewrite-evpn-rt-asn configuration

Answer 30

In EVPN Multi-Site architecture, each site is defined as an individual BGP autonomous system. Thus, with the use of automated route targets, the configurations of the VRF instance and the route-target extended community potentially diverge. For instance, if the local site uses ASN 65501 and the remote site uses ASN 65520, the route targets will be misaligned, and no prefixes learned from the control plane will be imported.

To allow the site-internal configuration to use the automated route target and require no change to any VTEP, the rewriting of the autonomous system portion on the route target must be possible, because the export route target at the local site must match the import route target at the remote site. In EVPN Multi-Site architecture, the route target can be rewritten during ingress at the remote site.

The autonomous system portion of the route target will be rewritten with the ASN specified in the BGP peering configuration.

Question 31

Can you use different VNIs for the same vxlan-group which is extended between sites with version 7.0.x?

Answer 31

no
As of Cisco NX-OS 7.0(3)I7(1) for the Cisco Nexus 9000 Series EX- and FX-platform switches, all deployed sites must follow a consistent assignment of VNIs for either Layer 2 or Layer 3 extension. Therefore, a VLAN or VRF instance at the local site must be mapped to the same VNI that is used at the remote site. This consistent mapping is called symmetric VNI assignment. Subsequent releases will expand this capability to enable asymmetric VNI assignment, in which different VNIs can be stitched together at the BGW level.

Question 32

to enable external connectivity (to WAN or Campus etc) on the border-gateway, can you use VLAN-interfaces (SVI)?

Answer 32

no, The EVPN Multi-Site BGW does not support the coexistence of external connectivity with IEEE 802.1q tagged Layer 2 interfaces (trunk) and SVIs (interface VLAN), either with or without vPC. More generally, SVIs cannot currently be defined on the BGW.

Question 33

which Two methods are used to advertise the default route to the fabric?

Answer 33

The default route is learned through eBGP from the external router on a per-VRF basis. This default route is automatically passed through the BGW and advertised to the site-internal VTEPs through BGP EVPN.

The default route is learned through a static or dynamic routing protocol (not eBGP). This approach requires the BGW to locally originate the default route and inject it into the BGP EVPN control plane facing the site-internal VTEPs.

Question 34

what is the quickest way to see the multi-site bgw status, used IP and MAC on a BGW?

Answer 34

show nve interface nve 1 detail

Interface: nve1, State: Up, encapsulation: VXLAN

VPC Capability: VPC-VIP-Only [not-notified]

Local Router MAC: 00a3.8e9d.9267

Host Learning Mode: Control-Plane

Source-Interface: loopback1 (primary: 10.200.200.21, secondary: 0.0.0.0)

Source Interface State: Up

IR Capability Mode: No

Virtual RMAC Advertisement: No

NVE Flags:

Interface Handle: 0x49000001

Source Interface hold-down-time: 180

Source Interface hold-up-time: 30

Remaining hold-down time: 0 seconds

Multi-Site delay-restore time: 180 seconds

Multi-Site delay-restore time left: 0 seconds

Virtual Router MAC: 0200.0a6f.6f01

Interface state: nve-intf-add-complete

unknown-peer-forwarding: disable

down-stream vni config mode: n/a

Multisite bgw-if: loopback100 (ip: 10.111.111.1, admin: Up, oper: Up)

Multisite bgw-if oper down reason:

Nve Src node last notif sent: None

Nve Mcast Src node last notif sent: None

Nve MultiSite Src node last notif sent: Port-up

Question 35

how can you verify site-external connections?

Answer 35

show nve multisite dci-links

Question 36

how can you verify site-internal connections?

Answer 36

show nve multisite fabric-links

Question 37

how can you verify for which VNIs a BGW is the designated forwarder? (BUM traffic)

Answer 37

show nve ethernet-segment

ESI: 0300.0000.0000.0100.0309

Parent interface: nve1

ES State: Up

Port-channel state: N/A

NVE Interface: nve1

NVE State: Up

Host Learning Mode: control-plane

Active Vlans: 1,10,2003

DF Vlans: 10

Active VNIs: 30010,50001

CC failed for VLANs:

VLAN CC timer: 0

Number of ES members: 2

My ordinal: 0

DF timer start time: 00:00:00

Config State: N/A

DF List: 10.200.200.21 10.200.200.22

Question 38

where would you configure a delay-restore timer in vxlan multi-site and why?

Answer 38

subconfig of site-id config:
evpn multisite border-gateway
delay-restore time 300

use-case is to wait for the underlay to converge before enabling the overlay to prevent blackholing.