Configuring EVPN Virtual Private Wire Service

Module Introduction

Before you start the hands-on part of this module, you should load the appropriate configuration and verify that the testbed is up and running by executing the corresponding robot file:

student@tour:~/trainings_resources/robot$ robot mpls_evpn_pw/mpls_evpn_pw_setup.robot

We use IS-IS as IGP for the examples and exercises in this module. The choice of IGP is not important for understanding and configuration of EVPNs. However, if you prefer to run OSPF instead, you can alternatively load the setup using the -v igp:ospf knob:

student@tour:~/trainings_resources/robot$ robot -v igp:ospf mpls_evpn_pw/mpls_evpn_pw_setup.robot

In order to get a better understanding, the lab setup is shown in the picture below.

mpls evpn lab
Figure 1. EVPN VPWS Lab Setup

In RBFS version 24.8.1, EVPN is only supported on Q2A/Q2C/QAX-based platforms, but not in virtual environments. In this module, the configuration steps are explained and the corresponding control plane outputs are shown. However, the data plane is working due to missing EVP support in VPP.

Virtual Private Wire Service and EVPN

A virtual private wire service (VPWS) or pseudowire is a mechanism that emulates a point-to-point connection over a packet-switched network. EVPn can be used to setup and maintain a VPWS re-using existing BGP infrastructure. In addition, EVPN supports multihoming, thus providing better resiliency.

Unlike regular EVPN services, EVPN VPWS does not rely on MAC learning. Since it’s a point-to-point service, each PE knows where to forward traffic without having to learn MAC addresses. The focus is on simple Layer 2 frame forwarding between two endpoints. As a result, the BGP MAC/IP Advertisement Route (Type 2) is not used in EVPN VPWS. EVPN VPWS primarily uses Route Ethernet Auto-Discovery (Type 1) to advertise the existence of a point-to-point Ethernet segment. Ethernet Segment Route (Type 4) may still be used for multi-homing in EVPN VPWS scenarios where redundancy is needed between two sites.

Since VPWS is a point-to-point service, it doesn’t involve broadcast, unknown unicast, or multicast traffic handling, i.e., there is no need for mechanisms like inclusive multicast routes or ingress replication.

EVPN Pseudowire Configuration

Configuring EVPN Support in BGP

In order to use the BGP control plane, we need to activate the corresponding address-family in BGP l2vpn evpn at both the BGP protocol level and the peer-group level. Note, as EVPN is a control plane mechanism, there is no l2vpn evpn address-family configuration on the instance level.

Exercise 1: BGP Configuration

Configure two iBGP peering to BGP neighbor 192.168.0.5 and 192.168.0.6, both supporting IPv4 unicast and L2VPN EVPN address family. The local AS number is 64500.

Click to reveal the answer 
cfg> set instance default protocol bgp hostname R1
cfg> set instance default protocol bgp local-as 64500
cfg> set instance default protocol bgp router-id 192.168.0.1
cfg> set instance default protocol bgp address-family ipv4 unicast
cfg> set instance default protocol bgp address-family l2vpn evpn
cfg> set instance default protocol bgp peer ipv4 192.168.0.5 192.168.0.1
cfg> set instance default protocol bgp peer ipv4 192.168.0.5 192.168.0.1 peer-group INTERN
cfg> set instance default protocol bgp peer ipv4 192.168.0.6 192.168.0.1
cfg> set instance default protocol bgp peer ipv4 192.168.0.6 192.168.0.1 peer-group INTERN
cfg> set instance default protocol bgp peer-group INTERN
cfg> set instance default protocol bgp peer-group INTERN remote-as 64500
cfg> set instance default protocol bgp peer-group INTERN address-family ipv4 unicast
cfg> set instance default protocol bgp peer-group INTERN address-family l2vpn evpn
cfg> commit

Let’s check if the EVPN address-family was successfully negotiated:

cfg> show bgp peer R5
Peer: R5, Peer IP: 192.168.0.5, Remote AS: 64500, Local: 192.168.0.1, Local AS: 64500, Any AS: False
  Type: ibgp, State: Established, Up/Down Time:
  Discovered on interface: -
  Last transition: Tue Aug 13 14:01:39 GMT +0000 2024, Flap count: 0
  Peer ID        : 192.168.0.5, Local ID  : 192.168.0.1
  Instance       : default, Peer group: INTERN
  6PE enabled    : False
  Timer values:
    Peer keepalive : 30s, Local keepalive: 30s
    Peer holddown  : 90s, Local holddown : 90s
    Connect retry  : 30s
  Timers:
    Connect retry timer : 0s
    keepalive timer     : expires in 5s 975321us
    Holddown timer      : expires in 1m 11s 698382us
  NLRIs:
    Sent           : ['l2vpn-evpn', 'ipv4-unicast']
    Received       : ['l2vpn-evpn', 'ipv4-unicast']
    Negotiated     : ['l2vpn-evpn', 'ipv4-unicast']
<...>

Configuring Interfaces for EVPN VPWS Support

The link between CE device and PE router is called attachment circuit in pseudowire terminology. In EVPN, it is represented with as an Ethernet segment. In order to use an interface as attachment circuit, we need to set the interface-type to l2vpn-vpws and assign the interface to a corresponding Ethernet instance. Both o these settings are done on the set interface <ifname> unit <unit> level. EVPN supports both untagged and tagged interfaces.

Exercise 2: EVPN Interface Configuration

Configure interface hostif-0/0/11 for EVPN VPWS services. There should be two units, one for VLAN 101 and one for VLAN 102. Both units should be assigned to EVI EVPN-VPWS.

Click to reveal the answer 
cfg> delete interface hostif-0/0/11 admin-status down
cfg> set interface hostif-0/0/11 description "Link to CE1"
cfg> set interface hostif-0/0/11 unit 101
cfg> set interface hostif-0/0/11 unit 101 interface-type l2vpn-vpws
cfg> set interface hostif-0/0/11 unit 101 instance EVPN-VPWS
cfg> set interface hostif-0/0/11 unit 101 vlan 101
cfg> set interface hostif-0/0/11 unit 102
cfg> set interface hostif-0/0/11 unit 102 interface-type l2vpn-vpws
cfg> set interface hostif-0/0/11 unit 102 instance EVPN-VPWS
cfg> set interface hostif-0/0/11 unit 102 vlan 102
cfg> commit
As EVPN is a layer-2 service, there is no IP address configuration on the interface.

We can now verify that the interface type has changed form layer-3 (default) to l2vpn-vpws:

sh interface logical
Interface              Instance            Admin   Link    Oper    Outer VLAN   Inner VLAN  IPv4 Status,MTU   IPv6 Status,MTU   Type
lo-0/0/0/0             default             Up      Up      Up      -            -           Up,NA             Up,NA             l3
hostif-0/0/1/0         default             Up      Up      Up      -            -           Up,1500           Up,1500           l3
hostif-0/0/2/0         default             Up      Up      Up      -            -           Up,1500           Up,1500           l3
hostif-0/0/11/101      EVPN-VPWS           Up      Up      Up      101          -           -                 -                 l2vpn-vpws
hostif-0/0/11/102      EVPN-VPWS           Up      Up      Up      102          -           -                 -                 l2vpn-vpws

Configuring EVPN Instance

Finally, we need to configure a Ethernet VPN instance. The instance configuration includes parameters like router-id, route-distinguisher, as well as import and export route-target for the address-family l2vpn evpn-vpws.

In addition, the VPWS must be defined. As the VPWS is a point-to-point service, we need to assign the Ethernet segment (interface to CE router) with a local and a remote service-id using the command set instance <instance> protocol bgp address-family l2vpn evpn-vpws interface <ifl> local-service-id|remote-service-id <value>. The local service-id must match the remote-service-id on the remote PE router and vice versa.

Exercise 3: EVPN Interface Configuration

Configure a EVI named EVPN-VPWS supporting address-family evpn-vpws. The route-distinguisher should be set to 192.168.0.1:100 and route-targets for both, import and export, should be set target:64500:100.

Configure two VPWS service with the following parameters:

Interface local service ID remote service ID

hostif-0/0/11/101

122

211

hostif-0/0/11/102

123

321
Click to reveal the answer 
cfg> set instance EVPN-VPWS ipv4-router-id 192.168.0.1
cfg> set instance EVPN-VPWS route-distinguisher 192.168.0.1:100
cfg> set instance EVPN-VPWS address-family l2vpn evpn-vpws route-target import target:64500:100
cfg> set instance EVPN-VPWS address-family l2vpn evpn-vpws route-target export target:64500:100
cfg> set instance EVPN-VPWS protocol bgp local-as 64500
cfg> set instance EVPN-VPWS protocol bgp address-family l2vpn evpn-vpws interface hostif-0/0/11/101 local-service-id 122
cfg> set instance EVPN-VPWS protocol bgp address-family l2vpn evpn-vpws interface hostif-0/0/11/101 remote-service-id 221
cfg> set instance EVPN-VPWS protocol bgp address-family l2vpn evpn-vpws interface hostif-0/0/11/102 local-service-id 123
cfg> set instance EVPN-VPWS protocol bgp address-family l2vpn evpn-vpws interface hostif-0/0/11/102 remote-service-id 321
cfg> commit

Once, the BGP session is established and EVPN routes are exchanged, we can inspect the BGP RIB-in:

cfg> show bgp rib-in l2vpn evpn peer R5
Instance: default, AFI: l2vpn, SAFI: evpn
 Hostname: R5, Peer IP: 192.168.0.5
 Source IP: 192.168.0.1, Received routes: 1
    Prefix                                       Next Hop                           MED       Lpref               AS Path        Status
    00.00.00.00.00.00.00.00.00.00:221/112        192.168.0.5                        -         100                 -              Valid

cfg> show bgp rib-in l2vpn evpn peer R5 detail
Instance: default, AFI: l2vpn, SAFI: evpn
  Peer: R5, Received routes: 1
    00.00.00.00.00.00.00.00.00.00:221/112, Received path ID: 0, Next hop: 192.168.0.5
      Status: Valid
      Protocol source: bgp, Send path ID: 495341019
      AS path: -
      MED: -, Local preference: 100
      Community: -
      Extended community: ['vpws-l2-info:0:0:0', 'target:64500:100']
      Large community: -
      Originator ID: -
      Cluster list: -
      Label: 20006,bos:1, Last update: 0d:00h:02m:17s

As expected, we have received a Ethernet Auto-Discovery route. The prefix contains the advertised Ethernet Segment Identifier 00.00.00.00.00.00.00.00.00.00 (which represents a single-homed ESI) as well as the service-id, which needs to match the remote-service-id. The update message also contains a MPLS service label.

A summary of all configured pseudowires can be seen using the show bgp l2vpn pseudowire command:

cfg> show bgp l2vpn pseudowire
Instance: EVPN-VPWS AFI: l2vpn, SAFI: evpn-vpws
  Route Distinguisher: 192.168.0.1:100
  Number of local interfaces: 2
    Interface name       Prefix                                     Status          Local SID  Remote SID Pop Label          Push Label
    hostif-0/0/11/101    00.00.00.00.00.00.00.00.00.00:122/112      Up                    122         221 label:20066,bos:1  label:20006,bos:1
    hostif-0/0/11/102    00.00.00.00.00.00.00.00.00.00:123/112      Up                    123         321 label:20067,bos:1  label:20008,bos:1

We can also verify that the corresponding entries were added to the FIB:

cfg> show bgp fib l2vpn
Instance: EVPN-VPWS, AFI: l2vpn, SAFI: evpn-vpws
  Prefix                                        Preference      Out Label            Next Hop
  00.00.00.00.00.00.00.00.00.00:321/112         200             20008,bos:1          192.168.0.6
  00.00.00.00.00.00.00.00.00.00:221/112         200             20006,bos:1          192.168.0.5
Instance: default, AFI: l2vpn, SAFI: evpn
  Prefix                                        Preference      Out Label            Next Hop
  00.00.00.00.00.00.00.00.00.00:321/112         200             -                    -
  00.00.00.00.00.00.00.00.00.00:122/112         200             -                    -
  00.00.00.00.00.00.00.00.00.00:123/112         200             -                    -
  00.00.00.00.00.00.00.00.00.00:221/112         200             -                    -

Summary

This module outlined the building blocks of BGP/MPLS-based EVPNs. You should be able to configure an EVPN VPWS.

If you have completed the exercise, you can check the results by executing

student@tour:~/trainings_resources/robot$ robot mpls_evpn_pw/mpls_evpn_pw_verify.robot